Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-07 17:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/src/event.bif
Robin Sommer 5ff7afaadb Tweaks.
2012-01-09 18:28:43 -08:00

6263 lines
278 KiB
Text
Raw Blame History

##! The events that the C/C++ core of Bro can generate. This is mostly
##! consisting of high-level network events that protocol analyzers detect,
##! but there are also several general-utility events generated by internal
##! Bro frameworks.
#
# Documentation conventions:
#
# - Use past tense for activity that has already occured.
#
# - List parameters with an empty line in between.
#
# - Within the description, reference other parameters of the same events
# as *arg*.
#
# - Order:
#
# - Short initial sentence (which doesn't need to be a sentence),
# starting with "Generated ..."
#
# - Description
#
# - Parameters
#
# - .. bro:see::
#
# - .. note::
#
# - .. todo::
## Generated at Bro initialization time. The event engine generates this
## event just before normal input processing begins. It can be used to execute
## one-time initialization code at startup. At the time a handler runs, Bro will
## have executed any global initializations and statements.
##
## .. bro:see:: bro_done
##
## .. note::
##
## When a ``bro_init`` handler executes, Bro has not yet seen any input packets
## and therefore :bro:id:`network_time` is not initialized yet. An artifact
## of that is that any timer installed in a ``bro_init`` handler will fire
## immediately with the first packet. The standard way to work around that is to
## ignore the first time the timer fires and immediately reschedule.
##
event bro_init%(%);
## Generated at Bro termination time. The event engine generates this event when
## Bro is about to terminate, either due to having exhausted reading its input
## trace file(s), receiving a termination signal, or because Bro was run without
## a network input source and has finished executing any global statements.
##
## .. bro:see:: bro_init
##
## .. note::
##
## If Bro terminates due to an invocation of :bro:id:`exit`, then this event is
## not generated.
event bro_done%(%);
## Generated when an internal DNS lookup reduces the same result as last time.
## Bro keeps an internal DNS cache for host names and IP addresses it has
## already resolved. This event is generated when subsequent lookup returns
## the same result as stored in the cache.
##
## dm: A record describing the new resolver result (which matches the old one).
##
## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified
event dns_mapping_valid%(dm: dns_mapping%);
## Generated when an internal DNS lookup got no answer even though it had succeeded he
## past. Bro keeps an internal DNS cache for host names and IP addresses it has
## already resolved. This event is generated when a subsequent lookup does not
## produce an answer even though we have already stored a result in the cache.
##
## dm: A record describing the old resolver result.
##
## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_valid
event dns_mapping_unverified%(dm: dns_mapping%);
## Generated when an internal DNS lookup succeeed but an earlier attempt not. had
## had succeeded he past. Bro keeps an internal DNS cache for host names and IP
## addresses it has already resolved. This event is generated when a subsequent
## lookup produces an answer for a query that was marked as failed in the cache.
##
## dm: A record describing the new resolver result.
##
## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_unverified
## dns_mapping_valid
event dns_mapping_new_name%(dm: dns_mapping%);
## Generated when an internal DNS lookup returned zero answers even though it
## had succeeded he past. Bro keeps an internal DNS cache for host names and IP
## addresses it has already resolved. This event is generated when for a subsequent
## lookup we received answer that however was empty even though we have
## already stored a result in the cache.
##
## dm: A record describing the old resolver result.
##
## .. bro:see:: dns_mapping_altered dns_mapping_new_name dns_mapping_unverified
## dns_mapping_valid
event dns_mapping_lost_name%(dm: dns_mapping%);
## Generated when an internal DNS lookup produced a different result than in
## past. Bro keeps an internal DNS cache for host names and IP addresses it has
## already resolved. This event is generated when a subsequent lookup returns
## a different answer than we have stored in the cache.
##
## dm: A record describing the new resolver result.
##
## old_addrs: Addresses that used to be part of the returned set for the query
## described by *dm*, but are not anymore.
##
## new_addrs: Addresses that did not use to be part of the returned set for the
## query described by *dm*, but now are.
##
## .. bro:see:: dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
## dns_mapping_valid
event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr_set%);
## Generated for every new connection. The event is raised with the first packet
## of a previously unknown connection. Bro uses a flow-based definition of
## "connection" here that includes not only TCP sessions but also UDP and ICMP
## flows.
##
## c: The connection.
##
## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
## connection_established connection_external connection_finished
## connection_first_ACK connection_half_finished connection_partial_close
## connection_pending connection_rejected connection_reset connection_reused
## connection_state_remove connection_status_update connection_timeout
## expected_connection_seen new_connection_contents partial_connection
##
## .. note::
##
## Handling this event is potentially expensive. For example, during a SYN
## flooding attack, every spoofed SYN packet will lead to a new
## event.
event new_connection%(c: connection%);
## Generated when reassembly starts for a TCP connection. The event is raised
## at the moment when Bro's TCP analyzer enables stream reassembly for a
## connection.
##
## c: The connection.
##
## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
## connection_established connection_external connection_finished
## connection_first_ACK connection_half_finished connection_partial_close
## connection_pending connection_rejected connection_reset connection_reused
## connection_state_remove connection_status_update connection_timeout
## expected_connection_seen new_connection partial_connection
event new_connection_contents%(c: connection%);
## Generated for an unsuccessful connection attempt. The event is raised when an
## originator unsuccessfully attempted to establish a connection. "Unsuccessful"
## is defined as at least :bro:id:`tcp_attempt_delay` seconds having elapsed since
## the originator first sent a connection establishment packet to the destination
## without seeing a reply.
##
## c: The connection.
##
## .. bro:see:: connection_EOF connection_SYN_packet connection_established
## connection_external connection_finished connection_first_ACK
## connection_half_finished connection_partial_close connection_pending
## connection_rejected connection_reset connection_reused connection_state_remove
## connection_status_update connection_timeout expected_connection_seen
## new_connection new_connection_contents partial_connection
event connection_attempt%(c: connection%);
## Generated for an established TCP connection. The event is raised when the
## initial 3-way TCP handshake has successfully finished for a connection.
##
## c: The connection.
##
## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
## connection_external connection_finished connection_first_ACK
## connection_half_finished connection_partial_close connection_pending
## connection_rejected connection_reset connection_reused connection_state_remove
## connection_status_update connection_timeout expected_connection_seen
## new_connection new_connection_contents partial_connection
event connection_established%(c: connection%);
## Generated for a new active TCP connection if Bro did not see the initial
## handshake. The event is raised when Bro has observed traffic from each endpoint,
## but the activity did not begin with the usual connection establishment.
##
## c: The connection.
##
## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
## connection_established connection_external connection_finished
## connection_first_ACK connection_half_finished connection_partial_close
## connection_pending connection_rejected connection_reset connection_reused
## connection_state_remove connection_status_update connection_timeout
## expected_connection_seen new_connection new_connection_contents
##
event partial_connection%(c: connection%);
## Generated when a previously inactive endpoint attempts to close a TCP connection
## via a normal FIN handshake or an abort RST sequence. When the endpoint sent
## one of these packets, Bro waits :bro:id:`tcp_partial_close_delay` prior
## to generating the event, to give the other endpoint a chance to close the
## connection normally.
##
## c: The connection.
##
## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
## connection_established connection_external connection_finished
## connection_first_ACK connection_half_finished connection_pending
## connection_rejected connection_reset connection_reused connection_state_remove
## connection_status_update connection_timeout expected_connection_seen
## new_connection new_connection_contents partial_connection
event connection_partial_close%(c: connection%);
## Generated for a TCP connection that finished normally. The event is raised
## when a regular FIN handshake from both endpoints was observed.
##
## c: The connection.
##
## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
## connection_established connection_external connection_first_ACK
## connection_half_finished connection_partial_close connection_pending
## connection_rejected connection_reset connection_reused connection_state_remove
## connection_status_update connection_timeout expected_connection_seen
## new_connection new_connection_contents partial_connection
event connection_finished%(c: connection%);
## Generated when one endpoint of a TCP connection attempted to gracefully close
## the connection, but the other endpoint is in the TCP_INACTIVE state. This can
## happen due to split routing, in which Bro only sees one side of a connection.
##
## c: The connection.
##
## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
## connection_established connection_external connection_finished
## connection_first_ACK connection_partial_close connection_pending
## connection_rejected connection_reset connection_reused connection_state_remove
## connection_status_update connection_timeout expected_connection_seen
## new_connection new_connection_contents partial_connection
event connection_half_finished%(c: connection%);
## Generated for a rejected TCP connection. The event is raised when an originator
## attempted to setup a TCP connection but the responder replied with a RST packet
## denying it.
##
## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
## connection_established connection_external connection_finished
## connection_first_ACK connection_half_finished connection_partial_close
## connection_pending connection_reset connection_reused connection_state_remove
## connection_status_update connection_timeout expected_connection_seen
## new_connection new_connection_contents partial_connection
##
## c: The connection.
##
## .. note::
##
## If the responder does not respond at all, :bro:id:`connection_attempt` is
## raised instead. If the responder initially accepts the connection but aborts
## it later, Bro first generates :bro:id:`connection_established` and then
## :bro:id:`connection_reset`.
event connection_rejected%(c: connection%);
## Generated when an endpoint aborted a TCP connection. The event is raised
## when one endpoint of an established TCP connection aborted by sending a RST
## packet.
##
## c: The connection.
##
## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
## connection_established connection_external connection_finished
## connection_first_ACK connection_half_finished connection_partial_close
## connection_pending connection_rejected connection_reused
## connection_state_remove connection_status_update connection_timeout
## expected_connection_seen new_connection new_connection_contents
## partial_connection
event connection_reset%(c: connection%);
## Generated for each still-open connection when Bro terminates.
##
## c: The connection.
##
## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
## connection_established connection_external connection_finished
## connection_first_ACK connection_half_finished connection_partial_close
## connection_rejected connection_reset connection_reused connection_state_remove
## connection_status_update connection_timeout expected_connection_seen
## new_connection new_connection_contents partial_connection bro_done
event connection_pending%(c: connection%);
## Generated when a connection's internal state is about to be removed from
## memory. Bro generates this event reliably once for every connection when it
## is about to delete the internal state. As such, the event is well-suited for
## scrip-level cleanup that needs to be performed for every connection. The
## ``connection_state_remove`` event is generated not only for TCP sessions but
## also for UDP and ICMP flows.
##
## c: The connection.
##
## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
## connection_established connection_external connection_finished
## connection_first_ACK connection_half_finished connection_partial_close
## connection_pending connection_rejected connection_reset connection_reused
## connection_status_update connection_timeout expected_connection_seen
## new_connection new_connection_contents partial_connection udp_inactivity_timeout
## tcp_inactivity_timeout icmp_inactivity_timeout conn_stats
event connection_state_remove%(c: connection%);
## Generated for a SYN packet. Bro raises this event for every SYN packet seen by
## its TCP analyzer.
##
## c: The connection.
##
## pkt: Information extracted from the SYN packet.
##
## .. bro:see:: connection_EOF connection_attempt connection_established
## connection_external connection_finished connection_first_ACK
## connection_half_finished connection_partial_close connection_pending
## connection_rejected connection_reset connection_reused connection_state_remove
## connection_status_update connection_timeout expected_connection_seen
## new_connection new_connection_contents partial_connection
##
## .. note::
##
## This event has quite low-level semantics and can potentially be expensive to
## generate. It should only be used if one really needs the specific information
## passed into the handler via the ``pkt`` argument. If not, handling one of the
## other ``connection_*`` events is typically the better approach.
event connection_SYN_packet%(c: connection, pkt: SYN_packet%);
## Generated for the first ACK packet seen for a TCP connection from
## its *orginator*.
##
## c: The connection.
##
## pkt: Information extracted from the SYN packet.
##
## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
## connection_established connection_external connection_finished
## connection_half_finished connection_partial_close connection_pending
## connection_rejected connection_reset connection_reused connection_state_remove
## connection_status_update connection_timeout expected_connection_seen
## new_connection new_connection_contents partial_connection
##
## .. note::
##
## This event has quite low-level semantics and should be used only rarely.
event connection_first_ACK%(c: connection%);
## Generated when a TCP connection timed out. This event is raised when no activity
## was seen for an interval of at least :bro:id:`tcp_connection_linger`, and
## either one endpoint has already closed the connection or one side never
## never became active.
##
## c: The connection.
##
## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
## connection_established connection_external connection_finished
## connection_first_ACK connection_half_finished connection_partial_close
## connection_pending connection_rejected connection_reset connection_reused
## connection_state_remove connection_status_update expected_connection_seen
## new_connection new_connection_contents partial_connection
##
## .. note::
##
## The precise semantics of this event can be unintuitive as it only
## covers a subset of cases where a connection times out. Often, handling
## :bro:id:`connection_state_remove` is the better option. That one will be
## generated reliably when an interval of ``tcp_inactivity_timeout`` has passed
## with out any activity seen (but also for all other ways a connection may
## terminate).
event connection_timeout%(c: connection%);
## Generated when a connection 4-tuple is reused. The event is raised when Bro
## sees a new TCP session or UDP flow using a 4-tuple matching that of an earlier
## connection it still consideres active.
##
## c: The connection.
##
## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
## connection_established connection_external connection_finished
## connection_first_ACK connection_half_finished connection_partial_close
## connection_pending connection_rejected connection_reset connection_state_remove
## connection_status_update connection_timeout expected_connection_seen
## new_connection new_connection_contents partial_connection
event connection_reused%(c: connection%);
## Generated in regular intervals during the life time of a connection. The
## events is raised each ``connection_status_update_interval`` seconds
## and can be used to check conditions on a regular basis.
##
## c: The connection.
##
## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
## connection_established connection_external connection_finished
## connection_first_ACK connection_half_finished connection_partial_close
## connection_pending connection_rejected connection_reset connection_reused
## connection_state_remove connection_timeout expected_connection_seen
## new_connection new_connection_contents partial_connection
event connection_status_update%(c: connection%);
## Generated at the end of reassembled TCP connections. The TCP reassembler
## raised the event once for each endpoint of a connection when it finished
## reassembling the corresponding side of the communication.
##
## c: The connection.
##
## is_orig: True if the event is raised for the originator side.
##
## .. bro:see:: connection_SYN_packet connection_attempt connection_established
## connection_external connection_finished connection_first_ACK
## connection_half_finished connection_partial_close connection_pending
## connection_rejected connection_reset connection_reused connection_state_remove
## connection_status_update connection_timeout expected_connection_seen
## new_connection new_connection_contents partial_connection
event connection_EOF%(c: connection, is_orig: bool%);
## Generated for a new connection received from the communication subsystem. Remote
## peers can inject packets into Bro's packet loop, for example via :doc:`Broccoli
## </components/broccoli/README>`. The communication systems raises this event
## with the first packet of a connection coming in this way.
event connection_external%(c: connection, tag: string%);
## Generated when a connected is seen that has previously marked as being expected.
## The function :bro:id:`expect_connection` tells Bro to expect a particular
## connection to come up, and which analyzer to associate with it. Once the
## first packet of such a connection is indeed seen, this event is raised.
##
## c: The connection.
##
## a: The analyzer that was scheduled for the connection with the
## :bro:id:`expect_connection` call. When the event is raised, that
## analyzer will already have been activated to process the connection. The
## ``count`` is one of the ``ANALYZER_*`` constants, e.g., ``ANALYZER_HTTP``.
##
## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt
## connection_established connection_external connection_finished
## connection_first_ACK connection_half_finished connection_partial_close
## connection_pending connection_rejected connection_reset connection_reused
## connection_state_remove connection_status_update connection_timeout
## new_connection new_connection_contents partial_connection
##
## .. todo: We don't have a good way to document the automatically generated
## ``ANALYZER_*`` constants right now.
event expected_connection_seen%(c: connection, a: count%);
## Generated for every packet Bro sees. This is a very low-level and expensive
## event that should be avoided when at all possible. Is's usually infeasible to
## handle when processing even medium volumes of traffic in real-time. That
## said, if you work from a trace and want to do some packet-level analysis,
## it may come in handy.
##
## c: The connection the packet is part of.
##
## p: Informattion from the header of the packet that triggered the event.
##
## .. bro:see:: tcp_packet packet_contents
event new_packet%(c: connection, p: pkt_hdr%);
## Generated for every packet that has non-empty transport-layer payload. This is a
## very low-level and expensive event that should be avoided when at all possible.
## It's usually infeasible to handle when processing even medium volumes of
## traffic in real-time. It's even worse than :bro:id:`new_packet`. That said, if
## you work from a trace and want to do some packet-level analysis, it may come in
## handy.
##
## c: The connection the packet is part of.
##
## contants: The raw transport-layer payload.
##
## .. bro:see:: new_packet tcp_packet
event packet_contents%(c: connection, contents: string%);
## Generated for every TCP packet. This is a very low-level and expensive event
## that should be avoided when at all possible. It's usually infeasible to handle
## when processing even medium volumes of traffic in real-time. It's slightly
## better than :bro:id:`new_packet` because it affects only TCP, but not much. That
## said, if you work from a trace and want to do some packet-level analysis, it may
## come in handy.
##
## c: The connection the packet is part of.
##
## is_orig: True if the packet was sent by the connection's originator.
##
## flags: A string with the packet's TCP flags. In the string, each character
## corresponds to one set flag, as follows: ``S`` -> SYN; ``F`` -> FIN;
## ``R`` -> RST; ``A`` -> ACK; ``P`` -> PUSH.
##
## seq: The packet's TCP sequence number.
##
## ack: The packet's ACK number.
##
## len: The length of the TCP payload, as specified in the packet header.
##
## payload: The raw TCP payload. Note that this may less than *len* if the packet
## was not fully captured.
##
## .. bro:see:: new_packet packet_contents tcp_option tcp_contents tcp_rexmit
event tcp_packet%(c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string%);
## Generated for each option found in a TCP header. Like many of the ``tcp_*``
## events, this is a very low-level event and potentially expensive as it may
## be raised very often.
##
## c: The connection the packet is part of.
##
## is_orig: True if the packet was sent by the connection's originator.
##
## opt: The numerical option number, as found in the TCP header.
##
## optlen: The length of the options value.
##
## .. bro:see:: tcp_packet tcp_contents tcp_rexmit
##
## .. note:: There is currently no way to get the actual option value, if any.
event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%);
## Generated for each chunk of reassembled TCP payload. When content delivery is
## enabled for a TCP connection (via :bro:id:`tcp_content_delivery_ports_orig`,
## :bro:id:`tcp_content_delivery_ports_resp`,
## :bro:id:`tcp_content_deliver_all_orig`,
## :bro:id:`tcp_content_deliver_all_resp`), this event is raised for each chunk
## of in-order payload reconstructed from the packet stream. Note that this event
## is potentially expensive if many connections carry signficant amounts of data as
## then all that needs to be passed on to the scripting layer.
##
## c: The connection the payload is part of.
##
## is_orig: True if the packet was sent by the connection's originator.
##
## seq: The sequence number corresponding to the first byte of the payload
## chunk.
##
## payload: The raw payload, which will be non-empty.
##
## .. bro:see:: tcp_packet tcp_option tcp_rexmit
## tcp_content_delivery_ports_orig tcp_content_delivery_ports_resp
## tcp_content_deliver_all_resp tcp_content_deliver_all_orig
##
## .. note::
##
## The payload received by this event is the same that is also passed into
## application-layer protocol analyzers internally. Subsequent invocations of
## this event for the same connection receive non-overlapping in-order chunks
## of its TCP payload stream. It is however undefined what size each chunk
## has; while Bro passes the data on as soon as possible, specifics depend on
## network-level effects such as latency, acknowledgements, reordering, etc.
event tcp_contents%(c: connection, is_orig: bool, seq: count, contents: string%);
## Generated
event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_flight: count, window: count%);
## Generated when Bro detects a TCP retransmission inconsistency. When
## reassemling TCP stream, Bro buffers all payload until it seens the responder
## acking it. If during time, the sender resends a chunk of payload but with
## content than originally, this event will be raised.
##
## c: The connection showing the inconsistency.
##
## t1: The original payload.
##
## t2: The new payload.
##
## .. bro:see:: tcp_rexmit tcp_contents
event rexmit_inconsistency%(c: connection, t1: string, t2: string%);
## Generated when a TCP endpoint acknowledges payload that Bro did never see.
##
## c: The connection.
##
## .. bro:see:: content_gap
##
## .. note::
##
## Seeing an acknowledgment indicates that the responder of the connection
## says it has received the corresponding data. If Bro did not, it must have
## either missed one or more packets, or the responder's TCP stack is broken
## (which isn't unheard of). In practice, one will always see a few of these
## events in any larger volume of network traffic. If there are lots of them,
## however, that typically means that there is a problem with the monitoring
## infrastructure such as a tap dropping packets, split routing on the path, or
## reordering at the tap.
##
## This event reports similar situations as :bro:id:`content_gap`, though their
## specifics differ slightly. Often, however, both will be raised for the same
## connection if some of its data is missing. We should eventually merge
## the two.
event ack_above_hole%(c: connection%);
## Generated when Bro detects a gap in a reassembled TCP payload stream. This event
## is raised when Bro, while reassemling a payload stream, determines that a chunk
## of payload is missing (e.g., because the responder has already acknowledged it,
## even though Bro didn't see it).
##
## c: The connection.
##
## is_orig: True if the gap is on the originator's side.
##
## seq: The sequence number where the gap starts.
##
## length: The number of bytes missing.
##
## .. bro:see:: ack_above_hole
##
## .. note::
##
## Content gaps tend to occur occasionally for various reasons, including broken
## TCP stacks. If, however, one finds lots of them, that typically means that
## there is a problem with the monitoring infrastructure such as a tap dropping
## packets, split routing on the path, or reordering at the tap.
##
## This event reports similar situations as :bro:id:`ack_above_hole`, though
## their specifics differ slightly. Often, however, both will be raised for
## connection if some of its data is missing. We should eventually merge the
## two.
event content_gap%(c: connection, is_orig: bool, seq: count, length: count%);
## Summarizes the amount of missing TCP payload at regular intervals. Internally,
## Bro tracks (1) the number of :bro:id:`ack_above_hole` events, including the
## numer of bytes missing; and (2) the total number of TCP acks seen, with the
## total volume of bytes that have been acked. This event reports these statistics
## in :bro:id:`gap_report_freq` intervals for the purpose of determining packet
## loss.
##
## dt: The time that has past since the last ``gap_report`` interval.
##
## info: The gap statistics.
##
## .. bro:see:: content_gap ack_above_hole
##
## .. note::
##
## Bro comes with a script :doc:`/scripts/policy/misc/capture-loss` that uses
## this event to estimate packet loss and report when a predefined threshold is
## exceeded.
event gap_report%(dt: interval, info: gap_info%);
## Generated when a protocol analyzer confirms that a connection is indeed
## using that protocol. Bro's dynamic protocol detection heuristically activates
## analyzers as soon as it believe a connection *could* be using a particular
## protocol. It is then left to the corresponding analyzer to verify whether that
## is indeed the case; if so, this event will be generated.
##
## c: The connection.
##
## atype: The type of the analyzer confirming that its protocol is in
## use. The value is one of the ``ANALYZER_*`` constants. For example,
## ``ANALYZER_HTTP`` means the HTTP analyzers determined that it's indeed
## parsing an HTTP connection.
##
## aid: A unique integer ID identifying the specific *instance* of the
## analyzer *atype* that is analyzing the connection ``c``. The ID can
## be used to reference the analyzer when using builtin functions like
## :bro:id:`disable_analyzer`.
##
## .. bro:see:: protocol_violation
##
## .. note::
##
## Bro's default scripts use this event to determine the ``service`` column of
## :bro:type:`Conn::Info`: once confirmed, the protocol will be listed there
## (and thus in ``conn.log``).
event protocol_confirmation%(c: connection, atype: count, aid: count%);
## Generated when a protocol analyzer determines that a connection it is parsing
## is not conforming to the protocol it expects. Bro's dynamic protocol detection
## heuristically activates analyzers as soon as it believe a connection *could* be
## using a particular protocol. It is then left to the corresponding analyzer to
## verify whether that is indeed the case; if not, the analyzer will trigger this
## event.
##
## c: The connection.
##
## atype: The type of the analyzer confirming that its protocol is in
## use. The value is one of the ``ANALYZER_*`` constants. For example,
## ``ANALYZER_HTTP`` means the HTTP analyzers determined that it's indeed
## parsing an HTTP connection.
##
## aid: A unique integer ID identifying the specific *instance* of the
## analyzer *atype* that is analyzing the connection ``c``. The ID can
## be used to reference the analyzer when using builtin functions like
## :bro:id:`disable_analyzer`.
##
## .. bro:see:: protocol_confirmation
##
## .. note::
##
## Bro's default scripts use this event to disable an analyzer via
## :bro:id:`disable_analyzer` if it's parsing the wrong protocol. That's however
## a script-level decision and not done automatically by the event eninge.
event protocol_violation%(c: connection, atype: count, aid: count, reason: string%);
## Generated for each packet sent by a UDP flow's originator. This a potentially
## expsensive event due to the volume of UDP traffic and should be used with care.
##
## u: The connection record for the corresponding UDP flow.
##
## .. bro:see:: udp_contents udp_reply udp_session_done
event udp_request%(u: connection%);
## Generated for each packet sent by a UDP flow's responder. This a potentially
## expsensive event due to the volume of UDP traffic and should be used with care.
##
## u: The connection record for the corresponding UDP flow.
##
## .. bro:see:: udp_contents udp_request udp_session_done
event udp_reply%(u: connection%);
## Generated for UDP packets to pass on their payload. As the number of UDP
## packets can be very large, this event is normally raised only for those on
## ports configured in :bro:id:`udp_content_delivery_ports_orig` (for packets sent
## by the flow's orgininator) or :bro:id:`udp_content_delivery_ports_resp` (for
## packets sent by the flow's responder). However, delivery can be enabled for all
## UDP request and reply packets by setting :bro:id:`udp_content_deliver_all_orig`
## or :bro:id:`udp_content_deliver_all_resp`, respectively. Note that this event is
## also raised for all matching UDP packets, including empty ones.
##
## u: The connection record for the corresponding UDP flow.
##
## is_orig: True if the event is raised for the originator side.
##
## .. bro:see:: udp_reply udp_request udp_session_done
## udp_content_deliver_all_orig udp_content_deliver_all_resp
## udp_content_delivery_ports_orig udp_content_delivery_ports_resp
event udp_contents%(u: connection, is_orig: bool, contents: string%);
## Generated when a UDP session for a supported protocol has finished. Some of
## Bro's application-layer UDP analyzers flag the end of a session by raising this
## event. Currently, the analyzers for DNS, NTP, Netbios, and Syslog support this.
##
## u: The connection record for the corresponding UDP flow.
##
## .. bro:see:: udp_contents udp_reply udp_request
event udp_session_done%(u: connection%);
## Generated for all ICMP messages that are not handled separetely with dedicated
## ICMP events. Bro's ICMP analyzer handles a number of ICMP messages directly
## with dedicated events. This handlers acts as a fallback for those it doesn't.
## The *icmp* record provides more information about the message.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
## information about the ICMP protocol.
##
## c: The connection record for the corresponding ICMP flow.
##
## icmp: Additional ICMP-specific information augmenting the standard
## connection record *c*.
##
## .. bro:see:: icmp_echo_reply icmp_echo_request icmp_redirect
## icmp_time_exceeded icmp_unreachable
event icmp_sent%(c: connection, icmp: icmp_conn%);
## Generated for ICMP *echo request* messages.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
## information about the ICMP protocol.
##
## c: The connection record for the corresponding ICMP flow.
##
## icmp: Additional ICMP-specific information augmenting the standard
## connection record *c*.
##
## id: The *echo request* identifier.
##
## seq: The *echo request* sequence number.
##
## payload: The message-specific data of the packet payload, i.e., everything after
## the first 8 bytes of the ICMP header.
##
## .. bro:see:: icmp_echo_reply icmp_redirect icmp_sent
## icmp_time_exceeded icmp_unreachable
event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%);
## Generated for ICMP *echo reply* messages.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
## information about the ICMP protocol.
##
## c: The connection record for the corresponding ICMP flow.
##
## icmp: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## id: The *echo reply* identifier.
##
## seq: The *echo reply* sequence number.
##
## payload: The message-specific data of the packet payload, i.e., everything after
## the first 8 bytes of the ICMP header.
##
## .. bro:see:: icmp_echo_request icmp_redirect icmp_sent
## icmp_time_exceeded icmp_unreachable
event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%);
## Generated for ICMP *destination unreachable* messages.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
## information about the ICMP protocol.
##
## c: The connection record for the corresponding ICMP flow.
##
## icmp: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## code: The ICMP code of the *unreachable* message.
##
## context: A record with specifics of the original packet that the message refers
## to. *Unreachable* messages should include the original IP header from the packet
## that triggered them, and Bro parses that into the *context* structure. Note
## that if the *unreachable* includes only a partial IP header for some reason, no
## fields of *context* will be filled out.
##
## .. bro:see:: icmp_echo_reply icmp_echo_request icmp_redirect icmp_sent
## icmp_time_exceeded
event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
## Generated for ICMP *time exceeded* messages.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
## information about the ICMP protocol.
##
## c: The connection record for the corresponding ICMP flow.
##
## icmp: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## code: The ICMP code of the *exceeded* message.
##
## context: A record with specifics of the original packet that the message refers
## to. *Unreachable* messages should include the original IP header from the packet
## that triggered them, and Bro parses that into the *context* structure. Note that
## if the *exceeded* includes only a partial IP header for some reason, no fields
## of *context* will be filled out.
##
## .. bro:see:: icmp_echo_reply icmp_echo_request icmp_redirect icmp_sent
## icmp_unreachable
event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
## Generated for ICMP *redirect* messages.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
## information about the ICMP protocol.
##
## c: The connection record for the corresponding ICMP flow.
##
## icmp: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## a: The new destination address the message is redirecting to.
##
## .. bro:see:: icmp_echo_reply icmp_echo_request icmp_sent
## icmp_time_exceeded icmp_unreachable
event icmp_redirect%(c: connection, icmp: icmp_conn, a: addr%);
## Generated when a TCP connection terminated, passing on statistics about the
## two endpoints. This event is always generated when Bro flushes the internal
## connection state, independent of how a connection terminates.
##
## c: The connection.
##
## os: Statistics for the originator endpoint.
##
## rs: Statistics for the responder endpoint.
##
## .. bro:see:: connection_state_remove
event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%);
## Generated for unexpected activity related to a specific connection. When
## Bro's packet analysis encounters activity that does not conform to a protocol's
## specification, it raises one of the ``*_weird`` events to report that. This
## event is raised if the activity is tied directly to a specific connection.
##
## name: A unique name for the specific type of "weird" situation. Bro's default
## scripts use this name in filtering policies that specify which "weirds" are
## worth reporting.
##
## c: The corresponding connection.
##
## addl: Optional additional context further describing the situation.
##
## .. bro:see:: flow_weird net_weird
##
## .. note:: "Weird" activity is much more common in real-world network traffic
## than one would intuitively expect. While in principle, any protocol violation
## could be an attack attempt, it's much more likely that an endpoint's
## implementation interprets an RFC quite liberally.
event conn_weird%(name: string, c: connection, addl: string%);
## Generated for unexpected activity related to a pair of hosts, but independent
## of a specific connection. When Bro's packet analysis encounters activity that
## does not conform to a protocol's specification, it raises one of the ``*_weird``
## event to report that. This event is raised if the activity is related to a
## pair of hosts, yet not to a specific connection between them.
##
## name: A unique name for the specific type of "weird" situation. Bro's default
## scripts use this name in filtering policies that specify which "weirds" are
## worth reporting.
##
## src: The source address corresponding to the activity.
##
## dst: The destination address corresponding to the activity.
##
## .. bro:see:: conn_weird net_weird
##
## .. note:: "Weird" activity is much more common in real-world network traffic
## than one would intuitively expect. While in principle, any protocol violation
## could be an attack attempt, it's much more likely that an endpoint's
## implementation interprets an RFC quite liberally.
event flow_weird%(name: string, src: addr, dst: addr%);
## Generated for unexpected activity that is not tied to a specific connection
## or pair of hosts. When Bro's packet analysis encounters activity that
## does not conform to a protocol's specification, it raises one of the
## ``*_weird`` event to report that. This event is raised if the activity is
## not tied directly to a specific connection or pair of hosts.
##
## name: A unique name for the specific type of "weird" situation. Bro's default
## scripts use this name in filtering policies that specify which "weirds" are
## worth reporting.
##
## .. bro:see:: flow_weird
##
## .. note:: "Weird" activity is much more common in real-world network traffic
## than one would intuitively expect. While in principle, any protocol violation
## could be an attack attempt, it's much more likely that an endpoint's
## implementation interprets an RFC quite liberally.
event net_weird%(name: string%);
## Generated regularly for the purpose of profiling Bro's processing. This event
## is raised for every :bro:id:`load_sample_freq` packet. For these packets,
## Bro records script-level functions executed during their processing as well as
## further internal locations. By sampling the processing in this form, one can
## understand where Bro spends its time.
##
## samples: A set with functions and locations seens during the processing of
## the sampled packet.
##
## CPU: The CPU time spent on processing the sampled.
##
## dmem: The difference in memory usage caused by processing the sampled packet.
event load_sample%(samples: load_sample_info, CPU: interval, dmem: int%);
## Generated for ARP requests.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Address_Resolution_Protocol>`__ for
## more information about the ARP protocol.
##
## mac_src: The request's source MAC address.
##
## mac_dst: The request's destination MAC address.
##
## SPA: The sender protocol address.
##
## SHA: The sender hardware address.
##
## TPA: The target protocol address.
##
## THA: The target hardware address.
##
## .. bro:see:: arp_reply bad_arp
event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
TPA: addr, THA: string%);
## Generated for ARP replies.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Address_Resolution_Protocol>`__ for
## more information about the ARP protocol.
##
## mac_src: The replies's source MAC address.
##
## mac_dst: The replies's destination MAC address.
##
## SPA: The sender protocol address.
##
## SHA: The sender hardware address.
##
## TPA: The target protocol address.
##
## THA: The target hardware address.
##
## .. bro:see:: arp_request bad_arp
event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
TPA: addr, THA: string%);
## Generated for ARP packets that Bro cannot interpret. Examples are packets with
## non-standard hardware address formats or hardware addresses that not match the
## originator of the packet.
##
## SPA: The sender protocol address.
##
## SHA: The sender hardware address.
##
## TPA: The target protocol address.
##
## THA: The target hardware address.
##
## explanation: A short description of why the ARP packet is considered "bad".
##
## .. bro:see:: arp_reply arp_request
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event bad_arp%(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
## information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive
## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
## bittorrent_peer_weird
event bittorrent_peer_handshake%(c: connection, is_orig: bool,
reserved: string, info_hash: string, peer_id: string%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
## information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
## bittorrent_peer_weird
event bittorrent_peer_keep_alive%(c: connection, is_orig: bool%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
## information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
## bittorrent_peer_unknown bittorrent_peer_weird
event bittorrent_peer_choke%(c: connection, is_orig: bool%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
## information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_request
## bittorrent_peer_unknown bittorrent_peer_weird
event bittorrent_peer_unchoke%(c: connection, is_orig: bool%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
## information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_keep_alive
## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
## bittorrent_peer_weird
event bittorrent_peer_interested%(c: connection, is_orig: bool%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
## information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_piece bittorrent_peer_port
## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
## bittorrent_peer_weird
event bittorrent_peer_not_interested%(c: connection, is_orig: bool%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
## information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_interested bittorrent_peer_keep_alive
## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
## bittorrent_peer_weird
event bittorrent_peer_have%(c: connection, is_orig: bool, piece_index: count%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
## information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake
## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive
## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
## bittorrent_peer_weird
event bittorrent_peer_bitfield%(c: connection, is_orig: bool, bitfield: string%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
## information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_unchoke bittorrent_peer_unknown
## bittorrent_peer_weird
event bittorrent_peer_request%(c: connection, is_orig: bool, index: count,
begin: count, length: count%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
## information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_port
## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
## bittorrent_peer_weird
event bittorrent_peer_piece%(c: connection, is_orig: bool, index: count,
begin: count, piece_length: count%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
## information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
## bittorrent_peer_unknown bittorrent_peer_weird
event bittorrent_peer_cancel%(c: connection, is_orig: bool, index: count,
begin: count, length: count%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
## information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
## bittorrent_peer_weird
event bittorrent_peer_port%(c: connection, is_orig: bool, listen_port: port%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
## information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
## bittorrent_peer_weird
event bittorrent_peer_unknown%(c: connection, is_orig: bool, message_id: count,
data: string%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
## information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
## bittorrent_peer_unknown
event bittorrent_peer_weird%(c: connection, is_orig: bool, msg: string%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
## information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
## bittorrent_peer_unknown bittorrent_peer_weird
event bt_tracker_request%(c: connection, uri: string,
headers: bt_tracker_headers%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
## information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
## bittorrent_peer_unknown bittorrent_peer_weird
event bt_tracker_response%(c: connection, status: count,
headers: bt_tracker_headers,
peers: bittorrent_peer_set,
benc: bittorrent_benc_dir%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
## information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
## bittorrent_peer_unknown bittorrent_peer_weird
event bt_tracker_response_not_ok%(c: connection, status: count,
headers: bt_tracker_headers%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for more
## information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
## bittorrent_peer_unknown bittorrent_peer_weird
event bt_tracker_weird%(c: connection, is_orig: bool, msg: string%);
## Generated for Finger requests.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Finger_protocol>`__ for more
## information about the Finger protocol.
##
## c: The connection.
##
## full: True if verbose information is requested (``/W`` switch).
##
## username: The request's user name.
##
## hostname: The request's host name.
##
## .. bro:see:: finger_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event finger_request%(c: connection, full: bool, username: string, hostname: string%);
## Generated for Finger replies.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Finger_protocol>`__ for more
## information about the Finger protocol.
##
## c: The connection.
##
## reply_line: The reply as returned by the server
##
## .. bro:see:: finger_request
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event finger_reply%(c: connection, reply_line: string%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
## information about the Gnutella protocol.
##
## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
## gnutella_not_establish gnutella_partial_binary_msg gnutella_signature_found
##
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event gnutella_text_msg%(c: connection, orig: bool, headers: string%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
## information about the Gnutella protocol.
##
## .. bro:see:: gnutella_establish gnutella_http_notify gnutella_not_establish
## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count,
ttl: count, hops: count, msg_len: count,
payload: string, payload_len: count,
trunc: bool, complete: bool%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
## information about the Gnutella protocol.
##
## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
## gnutella_not_establish gnutella_signature_found gnutella_text_msg
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event gnutella_partial_binary_msg%(c: connection, orig: bool,
msg: string, len: count%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
## information about the Gnutella protocol.
##
## .. bro:see:: gnutella_binary_msg gnutella_http_notify gnutella_not_establish
## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event gnutella_establish%(c: connection%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
## information about the Gnutella protocol.
##
## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event gnutella_not_establish%(c: connection%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
## information about the Gnutella protocol.
##
## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish
## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event gnutella_http_notify%(c: connection%);
## Generated for Ident requests.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/indent_protocol>`__ for more
## information about the Ident protocol.
##
## c: The connection.
##
## lport: The request's local port.
##
## rport: The request's remote port.
##
## .. bro:see:: ident_error ident_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event ident_request%(c: connection, lport: port, rport: port%);
## Generated for Ident replies.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/indent_protocol>`__ for more
## information about the Ident protocol.
##
## c: The connection.
##
## lport: The corresponding request's local port.
##
## rport: The corresponding request's remote port.
##
## user_id: The user id returned by the reply.
##
## system: The operating system returned by the reply.
##
## .. bro:see:: ident_error ident_request
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event ident_reply%(c: connection, lport: port, rport: port, user_id: string, system: string%);
## Generated for Ident error replies.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/indent_protocol>`__ for more
## information about the Ident protocol.
##
## c: The connection.
##
## lport: The corresponding request's local port.
##
## rport: The corresponding request's remote port.
##
## line: The error description returned by the reply.
##
## .. bro:see:: ident_reply ident_request
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event ident_error%(c: connection, lport: port, rport: port, line: string%);
## Generated for Telnet/Rlogin login failures. The *login* analyzer inspects
## Telnet/Rlogin sessions to heuristically extract username and password
## information as well as the text returned by the login server. This event is
## raised if a login attempt appears to have been unsuccessful.
##
## c: The connection.
##
## user: The user name tried.
##
## client_user: For Telnet connections, this is an empty string, but for Rlogin
## connections, it is the client name passed in the initial authentication
## information (to check against .rhosts).
##
## password: The password tried.
##
## line: line is the line of text that led the analyzer to conclude that the
## authentication had failed.
##
## .. bro:see:: login_confused login_confused_text login_display login_input_line
## login_output_line login_prompt login_success login_terminal direct_login_prompts
## get_login_state login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs
## login_timeouts set_login_state
##
## .. note:: The login analyzer depends on a set of script-level variables that
## need to configured with patterns identifying login attempts. This configuration
## has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is
## therefore not directly usable at the moment.
##
## .. todo: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event login_failure%(c: connection, user: string, client_user: string, password: string, line: string%);
## Generated for successful Telnet/Rlogin logins. The *login* analyzer inspects
## Telnet/Rlogin sessions to heuristically extract username and password
## information as well as the text returned by the login server. This event is
## raised if a login attempt appears to have been successful.
##
## c: The connection.
##
## user: The user name used.
##
## client_user: For Telnet connections, this is an empty string, but for Rlogin
## connections, it is the client name passed in the initial authentication
## information (to check against .rhosts).
##
## password: The password used.
##
## line: line is the line of text that led the analyzer to conclude that the
## authentication had succeeded.
##
## .. bro:see:: login_confused login_confused_text login_display login_failure
## login_input_line login_output_line login_prompt login_terminal
## direct_login_prompts get_login_state login_failure_msgs login_non_failure_msgs
## login_prompts login_success_msgs login_timeouts set_login_state
##
## .. note:: The login analyzer depends on a set of script-level variables that
## need to configured with patterns identifying login attempts. This configuration
## has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is
## therefore not directly usable at the moment.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event login_success%(c: connection, user: string, client_user: string, password: string, line: string%);
## Generated for lines of input on Telnet/Rlogin sessions. The line will have
## control characters (such as in-band Telnet options) removed.
##
## c: The connection.
##
## line: The input line.
##
## .. bro:see:: login_confused login_confused_text login_display login_failure
## login_output_line login_prompt login_success login_terminal rsh_request
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event login_input_line%(c: connection, line: string%);
## Generated for lines of output on Telnet/Rlogin sessions. The line will have
## control characters (such as in-band Telnet options) removed.
##
## c: The connection.
##
## line: The ouput line.
##
## .. bro:see:: login_confused login_confused_text login_display login_failure
## login_input_line login_prompt login_success login_terminal rsh_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event login_output_line%(c: connection, line: string%);
## Generated when tracking of Telnet/Rlogin authentication failed. As Bro's *login*
## analyzer uses a number of heuristics to extract authentication information, it
## may become confused. If it can no longer correctly track the authentication
## dialog, it raised this event.
##
## c: The connection.
##
## msg: Gives the particular problem the heuristics detected (for example,
## ``multiple_login_prompts`` means that the engine saw several login prompts in
## a row, without the type-ahead from the client side presumed necessary to cause
## them)
##
## line: The line of text that caused the heuristics to conclude they were
## confused.
##
## .. bro:see:: login_confused_text login_display login_failure login_input_line login_output_line
## login_prompt login_success login_terminal direct_login_prompts get_login_state
## login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs
## login_timeouts set_login_state
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event login_confused%(c: connection, msg: string, line: string%);
## Generated after getting confused while tracking a Telnet/Rlogin authentication
## dialog. The *login* analyzer generates this even for every line of user input
## after it has reported :bro:id:`login_confused` for a connection.
##
## c: The connection.
##
## line: The line the user typed.
##
## .. bro:see:: login_confused login_display login_failure login_input_line
## login_output_line login_prompt login_success login_terminal direct_login_prompts
## get_login_state login_failure_msgs login_non_failure_msgs login_prompts
## login_success_msgs login_timeouts set_login_state
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event login_confused_text%(c: connection, line: string%);
## Generated for clients transmitting a terminal type in an Telnet session. This
## information is extracted out of environment variables sent as Telnet options.
##
## c: The connection.
##
## terminal: The TERM value transmitted.
##
## .. bro:see:: login_confused login_confused_text login_display login_failure
## login_input_line login_output_line login_prompt login_success
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event login_terminal%(c: connection, terminal: string%);
## Generated for clients transmitting a X11 DISPLAY in a Telnet session. This
## information is extracted out of environment variables sent as Telnet options.
##
## c: The connection.
##
## terminal: The DISPLAY transmitted.
##
## .. bro:see:: login_confused login_confused_text login_failure login_input_line
## login_output_line login_prompt login_success login_terminal
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event login_display%(c: connection, display: string%);
## Generated when a Telnet authentication has been successful. The Telnet protocol
## includes options for negotiating authentication. When such an option is sent
## from client to server and the server replies that it accepts the authentication,
## then the event engine generates this event.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
## about the Telnet protocol.
##
## name: The authenticated name.
##
## c: The connection.
##
## .. bro:see:: authentication_rejected authentication_skipped login_success
##
## .. note:: This event inspects the corresponding Telnet option while :bro:id:`login_success`
## heuristically determines success by watching session data.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event authentication_accepted%(name: string, c: connection%);
## Generated when a Telnet authentication has been unsuccessful. The Telnet
## protocol includes options for negotiating authentication. When such an option
## is sent from client to server and the server replies that it did not accept the
## authentication, then the event engine generates this event.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
## about the Telnet protocol.
##
## name: The attempted authentication name.
##
## c: The connection.
##
## .. bro:see:: authentication_accepted authentication_skipped login_failure
##
## .. note:: This event inspects the corresponding Telnet option while :bro:id:`login_success`
## heuristically determines failure by watching session
## data.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event authentication_rejected%(name: string, c: connection%);
## Generated when for Telnet/Rlogin sessions when a pattern match indicates
## that no authentication is performed.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
## about the Telnet protocol.
##
## c: The connection.
##
## .. bro:see:: authentication_accepted authentication_rejected direct_login_prompts
## get_login_state login_failure_msgs login_non_failure_msgs login_prompts
## login_success_msgs login_timeouts set_login_state
##
## .. note:: The login analyzer depends on a set of script-level variables that
## need to be configured with patterns identifying actvity. This configuration has
## not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is therefore
## not directly usable at the moment.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event authentication_skipped%(c: connection%);
## Generated for clients transmitting a terminal prompt in a Telnet session. This
## information is extracted out of environment variables sent as Telnet options.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
## about the Telnet protocol.
##
## c: The connection.
##
## terminal: The TTYPROMPT transmitted.
##
## .. bro:see:: login_confused login_confused_text login_display login_failure
## login_input_line login_output_line login_success login_terminal
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event login_prompt%(c: connection, prompt: string%);
## Generated for Telnet sessions when encryption is activated. The Telnet protoco;
## includes options for negotiating encryption. When such a series of options is
## successfully negotiated, the event engine generates this event.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
## about the Telnet protocol.
##
## c: The connection.
##
## .. bro:see:: authentication_accepted authentication_rejected authentication_skipped
## login_confused login_confused_text login_display login_failure login_input_line
## login_output_line login_prompt login_success login_terminal
event activating_encryption%(c: connection%);
## Generated for inconsistent Telnet options observed. Telnet options are specified
## by the client and server stating which options they are willing to support
## vs. which they are not, and then instructing one another which in fact they
## should or should not use for the current connection. If the event engine sees
## a peer violate either what the other peer has instructed it to do, or what it
## itself offered in terms of options in the past, then the engine generates an
## inconsistent_option event.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
## about the Telnet protocol.
##
## c: The connection.
##
## .. bro:see:: bad_option bad_option_termination authentication_accepted
## authentication_rejected authentication_skipped login_confused
## login_confused_text login_display login_failure login_input_line
## login_output_line login_prompt login_success login_terminal
event inconsistent_option%(c: connection%);
## Generated for an ill-formed or unrecognized Telnet option.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
## about the Telnet protocol.
##
## c: The connection.
##
## .. bro:see:: inconsistent_option bad_option_termination authentication_accepted
## authentication_rejected authentication_skipped login_confused
## login_confused_text login_display login_failure login_input_line
## login_output_line login_prompt login_success login_terminal
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event bad_option%(c: connection%);
## Generated for a Telnet option that's incorrectly terminated.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
## about the Telnet protocol.
##
## .. bro:see:: inconsistent_option bad_option authentication_accepted
## authentication_rejected authentication_skipped login_confused
## login_confused_text login_display login_failure login_input_line
## login_output_line login_prompt login_success login_terminal
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event bad_option_termination%(c: connection%);
## Generated for client side commands on an RSH connection.
##
## See `RFC 1258 <http://tools.ietf.org/html/rfc1258>`__ for more information about
## the Rlogin/Rsh protocol.
##
## c: The connection.
##
## client_user: The client-side user name as sent in the initial protocol
## handshake.
##
## client_user: The server-side user name as sent in the initial protocol
## handshake.
##
## line: The command line sent in the request.
##
## new_session: True if this is the first command of the Rsh session.
##
## .. bro:see:: rsh_reply login_confused login_confused_text login_display
## login_failure login_input_line login_output_line login_prompt login_success
## login_terminal
##
## .. note: For historical reasons, these events are separate from the ``login_``
## events. Ideally, they would all be handled uniquely.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event rsh_request%(c: connection, client_user: string, server_user: string, line: string, new_session: bool%);
## Generated for client side commands on an RSH connection.
##
## See `RFC 1258 <http://tools.ietf.org/html/rfc1258>`__ for more information about
## the Rlogin/Rsh protocol.
##
## c: The connection.
##
## client_user: The client-side user name as sent in the initial protocol
## handshake.
##
## client_user: The server-side user name as sent in the initial protocol
## handshake.
##
## line: The command line sent in the request.
##
## new_session: True if this is the first command of the Rsh session.
##
## .. bro:see:: rsh_request login_confused login_confused_text login_display
## login_failure login_input_line login_output_line login_prompt login_success
## login_terminal
##
## .. note: For historical reasons, these events are separate from the ``login_``
## events. Ideally, they would all be handled uniquely.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event rsh_reply%(c: connection, client_user: string, server_user: string, line: string%);
## Generated for client-side FTP commands.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/File_Transfer_Protocol>`__ for more
## information about the FTP protocol.
##
## c: The connection.
##
## command: The FTP command issued by the client (without any arguments).
##
## arg: The arguments going with the command.
##
## .. bro:see:: ftp_reply fmt_ftp_port parse_eftp_port
## parse_ftp_epsv parse_ftp_pasv parse_ftp_port
event ftp_request%(c: connection, command: string, arg: string%) &group="ftp";
## Generated for server-side FTP replies.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/File_Transfer_Protocol>`__ for more
## information about the FTP protocol.
##
## c: The connection.
##
## code: The numerical response code the server responded with.
##
## msg: The textual message of the response.
##
## cont_resp: True if the reply line is tagged as being continued to the next line.
## If so, further events will be raised and a handler may want to reassemle the
## pieces before processing the response any further.
##
## .. bro:see:: ftp_request fmt_ftp_port parse_eftp_port
## parse_ftp_epsv parse_ftp_pasv parse_ftp_port
event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%) &group="ftp";
## Generated for client-side SMTP commands.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol>`__
## for more information about the SMTP protocol.
##
## c: The connection.
##
## is_orig: True if the sender of the command is the originator of the TCP
## connection. Note that this is not redundant: the SMTP ``TURN`` command allows
## client and server to flip roles on established SMTP sessions, and hence a
## "request" might still come from the TCP-level responder. In practice, however,
## that will rarely happen as TURN is considered insecure and rarely used.
##
## command: The request's command, without any arguments.
##
## arg: The request command's arguments.
##
## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data
## smtp_data smtp_reply
##
## .. note:: Bro does not support the newer ETRN extension yet.
event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%) &group="smtp";
## Generated for server-side SMTP commands.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol>`__
## for more information about the SMTP protocol.
##
## c: The connection.
##
## is_orig: True if the sender of the command is the originator of the TCP
## connection. Note that this is not redundant: the SMTP ``TURN`` command
## allows client and server to flip roles on established SMTP sessions,
## and hence a "reply" might still come from the TCP-level originator. In
## practice, however, that will rarely happen as TURN is considered insecure
## and rarely used.
##
## code: The reply's numerical code.
##
## msg: The reply's textual description.
##
## cont_resp: True if the reply line is tagged as being continued to the next line.
## If so, further events will be raised and a handler may want to reassemle the
## pieces before processing the response any further.
##
## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data
## smtp_data smtp_request
##
## .. note:: Bro doesn't support the newer ETRN extension yet.
event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: string, cont_resp: bool%) &group="smtp";
## Generated for DATA transmitted on SMTP sessions. This event is raised for
## subsequent chunks of raw data following the ``DATA`` SMTP command until the
## corresponding end marker ``.`` is seen. A handler may want to reassembly
## the pieces as they come in if stream-analysis is required.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol>`__
## for more information about the SMTP protocol.
##
## c: The connection.
##
## is_orig: True if the sender of the data is the originator of the TCP
## connection.
##
## data: The raw data. Note that the size of each chunk is undefined and
## depends on specifics of the underlying TCP connection.
##
## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data
## smtp_reply smtp_request skip_smtp_data
##
## .. note:: This event received the unprocessed raw data. There is a separate
## set ``mime_*`` events that strip out the outer MIME-layer of emails and provide
## structured access to their content.
event smtp_data%(c: connection, is_orig: bool, data: string%) &group="smtp";
## Generated for unexpected activity on SMTP sessions. The SMTP analyzer tracks the
## state of SMTP sessions and reports commands and other activity with this event
## that it sees even though it would not expect so at the current point of the
## communication.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol>`__
## for more information about the SMTP protocol.
##
## c: The connection.
##
## is_orig: True if the sender of the unexpected activity is the originator of the
## TCP connection.
##
## msg: A descriptive message of what was unexpected.
##
## detail: The actual SMTP line triggering the event.
##
## .. bro:see:: smtp_data smtp_request smtp_reply
event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%) &group="smtp";
## Generated when starting to parse a email MIME entity. MIME is a
## protocol-independent data format for encoding text and files, along with
## corresponding meta-data, for transmission. Bro raises this event when it begin
## parsing a MIME entity extracted from an email protocol.
##
## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia
## <http://en.wikipedia.org/wiki/MIME>`__ for more information about the ARP
## protocol.
##
## c: The connection.
##
## .. bro:see:: mime_all_data mime_all_headers mime_content_hash mime_end_entity
## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data
## http_begin_entity
##
## .. note:: Bro also extracts MIME entities from HTTP session. For those, however,
## it raises :bro:id:`http_begin_entity` instead.
event mime_begin_entity%(c: connection%);
## Generated when finishing parsing an email MIME entity. MIME is a
## protocol-independent data format for encoding text and files, along with
## corresponding meta-data, for transmission. Bro raises this event when it
## finished parsing a MIME entity extracted from an email protocol.
##
## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia
## <http://en.wikipedia.org/wiki/MIME>`__ for more information about the ARP
## protocol.
##
## c: The connection.
##
## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data
## http_end_entity
##
## .. note:: Bro also extracts MIME entities from HTTP session. For those, however,
## it raises :bro:id:`http_end_entity` instead.
event mime_end_entity%(c: connection%);
## Generated for individual MIME headers extracted from email MIME
## entities. MIME is a protocol-independent data format for encoding text and
## files, along with corresponding meta-data, for transmission.
##
## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia
## <http://en.wikipedia.org/wiki/MIME>`__ for more information about the ARP
## protocol.
##
## c: The connection.
##
## h: The parsed MIME header.
##
## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
## mime_end_entity mime_entity_data mime_event mime_segment_data
## http_header http_all_headers
##
## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, however,
## it raises :bro:id:`http_header` instead.
event mime_one_header%(c: connection, h: mime_header_rec%);
## Generated for MIME headers extracted from email MIME entities, passing all
## headers at once. MIME is a protocol-independent data format for encoding text
## and files, along with corresponding meta-data, for transmission.
##
## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia
## <http://en.wikipedia.org/wiki/MIME>`__ for more information about the ARP
## protocol.
##
## c: The connection.
##
## hlist: A *table* containing all headers extracted from the current entity.
## The table is indexed by the position of the header (1 for the first, 2 for the
## second, etc.).
##
## .. bro:see:: mime_all_data mime_begin_entity mime_content_hash mime_end_entity
## mime_entity_data mime_event mime_one_header mime_segment_data
## http_header http_all_headers
##
## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, however,
## it raises :bro:id:`http_header` instead.
event mime_all_headers%(c: connection, hlist: mime_header_list%);
## Generated for chunks of decoded MIME data from email MIME entities. MIME
## is a protocol-independent data format for encoding text and files, along with
## corresponding meta-data, for transmission. As Bro parses the data of an entity,
## it raises a sequence of these events, each coming as soon as a new chunk of
## data is available. In contrast, there is also :bro:id:`mime_entity_data`, which
## passes all of an entities data at once in a single block. While the latter is
## more convinient to handle, ``mime_segment_data`` is more efficient as Bro does
## not need to buffer the data. Thus, if possible, this event should be prefered.
##
## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia
## <http://en.wikipedia.org/wiki/MIME>`__ for more information about the ARP
## protocol.
##
## c: The connection.
##
## length: The length of *data*.
##
## data: The raw data of one segment of the current entity.
##
## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
## mime_end_entity mime_entity_data mime_event mime_one_header http_entity_data
## mime_segment_length mime_segment_overlap_length
##
## .. note:: Bro also extracts MIME data from HTTP sessions. For those, however, it
## raises :bro:id:`http_entity_data` (sic!) instead.
event mime_segment_data%(c: connection, length: count, data: string%);
## Generated for data decoded from an email MIME entity. This event delivers
## the complete content of a single MIME entity. In contrast, there is also
## :bro:id:`mime_segment_data`, which passes on a sequence of data chunks as
## they. come in. While ``mime_entity_data`` is more convinient to handle,
## ``mime_segment_data`` is more efficient as Bro does not need to buffer the data.
## Thus, if possible, the latter should be prefered.
##
## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia
## <http://en.wikipedia.org/wiki/MIME>`__ for more information about the ARP
## protocol.
##
## c: The connection.
##
## length: The length of *data*.
##
## data: The raw data of the complete entity.
##
## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
## mime_end_entity mime_event mime_one_header mime_segment_data
##
## .. note:: While Bro also decodes MIME entities extracted from HTTP
## sessions, there's no corresponding event for that currently.
event mime_entity_data%(c: connection, length: count, data: string%);
## Generated for passing on all data decoded from an single email MIME
## message. If an email message has more than one MIME entity, this event
## combines all their data into a single value for analysis. Note that because
## of the potentially significant buffering necessary, using this event can be
## expensive.
##
## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia
## <http://en.wikipedia.org/wiki/MIME>`__ for more information about the ARP
## protocol.
##
## c: The connection.
##
## length: The length of *data*.
##
## data: The raw data of all MIME entities concatenated.
##
## .. bro:see:: mime_all_headers mime_begin_entity mime_content_hash mime_end_entity
## mime_entity_data mime_event mime_one_header mime_segment_data
##
## .. note:: While Bro also decodes MIME entities extracted from HTTP
## sessions, there's no corresponding event for that currently.
event mime_all_data%(c: connection, length: count, data: string%);
## Generated for errors found when decoding email MIME entities.
##
## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia
## <http://en.wikipedia.org/wiki/MIME>`__ for more information about the ARP
## protocol.
##
## event_type: A string describing the general category of the problem found (e.g.,
## ``illegal format``).
##
## detail: Further more detailed description of the error.
##
## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
## mime_end_entity mime_entity_data mime_one_header mime_segment_data http_event
##
## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, however,
## it raises :bro:id:`http_event` instead.
event mime_event%(c: connection, event_type: string, detail: string%);
## Generated for decoded MIME entities extracted from email meessage, passing on
## their MD5 checksums. Bro computes the MD5 over the complete decoded data of
## each MIME entity.
##
## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia
## <http://en.wikipedia.org/wiki/MIME>`__ for more information about the ARP
## protocol.
##
## c: The connection.
##
## content_len: The length of entity being hashed.
##
## hash_value: The MD5 hash.
##
## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_end_entity
## mime_entity_data mime_event mime_one_header mime_segment_data
##
## .. note:: While Bro also decodes MIME entities extracted from HTTP
## sessions, there's no corresponding event for that currently.
event mime_content_hash%(c: connection, content_len: count, hash_value: string%);
## Generated for RPC request/reply *pairs*. The RPC analyzer associates request
## and reply by their transactions identifiers and raise this event once both
## have been seen. If there's not reply, the will still be generated eventually
## on timeout. In that case, *status* will be set to :bro:enum:`RPC_TIMEOUT`.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/ONC_RPC>`__ for more information
## about the ONC RPC protocol.
## c: The connection.
##
## xid: The transaction identifier allowing to match requests with replies.
##
## prog: The remote program to call.
##
## ver: The version of the remote program to call.
##
## proc: The procedure of the remote program to call.
##
## status: The status of the reply, which should be one of the index values of
## :bro:id:`RPC_status`.
##
## start_time: Then time when the *call* was seen.
##
## call_len: The size of the *call_body* PDU.
##
## reply_len: The size of the *reply_body* PDU.
##
## .. bro:see:: rpc_call rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request
## dce_rpc_response rpc_timeout
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count%);
## Generated for RPC *call* messages.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/ONC_RPC>`__ for more information
## about the ONC RPC protocol.
##
## c: The connection.
##
## xid: The transaction identifier allowing to match requests with replies.
##
## prog: The remote program to call.
##
## ver: The version of the remote program to call.
##
## proc: The procedure of the remote program to call.
##
## call_len: The size of the *call_body* PDU.
##
## .. bro:see:: rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request
## dce_rpc_response rpc_timeout
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count%);
## Generated for RPC *reply* messages.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/ONC_RPC>`__ for more information
## about the ONC RPC protocol.
##
## c: The connection.
##
## xid: The transaction identifier allowing to match requests with replies.
##
## status: The status of the reply, which should be one of the index values of
## :bro:id:`RPC_status`.
##
## reply_len: The size of the *reply_body* PDU.
##
## .. bro:see:: rpc_call rpc_dialogue dce_rpc_bind dce_rpc_message dce_rpc_request
## dce_rpc_response rpc_timeout
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count%);
## Generated for Portmapper requests of type *null*.
##
## Portmapper is a service running on top of RPC. See `Wikipedia
## <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the service.
##
## r: The RPC connection.
##
## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit
## pm_request_dump pm_request_getport pm_request_set pm_request_unset rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event pm_request_null%(r: connection%);
## Generated for Portmapper request/reply dialogues of type *set*.
##
## Portmapper is a service running on top of RPC. See `Wikipedia
## <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the service.
##
## r: The RPC connection.
##
## m: The argument to the request.
##
## success: True if the request was successful, according to the corresponding
## reply. If no reply was seen, this will be false once the request times out.
##
## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit
## pm_request_dump pm_request_getport pm_request_null pm_request_unset rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event pm_request_set%(r: connection, m: pm_mapping, success: bool%);
## Generated for Portmapper request/reply dialogues of type *unset*.
##
## Portmapper is a service running on top of RPC. See `Wikipedia
## <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the service.
##
## r: The RPC connection.
##
## m: The argument to the request.
##
## success: True if the request was successful, according to the corresponding
## reply. If no reply was seen, this will be false once the request times out.
##
## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit
## pm_request_dump pm_request_getport pm_request_null pm_request_set rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event pm_request_unset%(r: connection, m: pm_mapping, success: bool%);
## Generated for Portmapper request/reply dialogues of type *getport*.
##
## Portmapper is a service running on top of RPC. See `Wikipedia
## <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the service.
##
## r: The RPC connection.
##
## pr: The argument to the request.
##
## p: The port returned by the server.
##
## success: True if the request was successful, according to the corresponding
## reply. If no reply was seen, this will be false once the request times out.
##
## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit
## pm_request_dump pm_request_null pm_request_set pm_request_unset rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event pm_request_getport%(r: connection, pr: pm_port_request, p: port%);
## Generated for Portmapper request/reply dialogues of type *dump*.
##
## Portmapper is a service running on top of RPC. See `Wikipedia
## <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the service.
##
## r: The RPC connection.
##
## m: The mappings returned by the server.
##
## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit
## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event pm_request_dump%(r: connection, m: pm_mappings%);
## Generated for Portmapper request/reply dialogues of type *callit*.
##
## Portmapper is a service running on top of RPC. See `Wikipedia
## <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
## service.
##
## r: The RPC connection.
##
## m: The argument to the request.
##
## p: The port value returned by the call.
##
## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_dump
## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event pm_request_callit%(r: connection, call: pm_callit_request, p: port%);
## Generated for failed Portmapper requests of type *null*.
##
## Portmapper is a service running on top of RPC. See `Wikipedia
## <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
## service.
##
## r: The RPC connection.
##
## status: The status of the reply, which should be one of the index values of
## :bro:id:`RPC_status`.
##
## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump
## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event pm_attempt_null%(r: connection, status: rpc_status%);
## Generated for failed Portmapper requests of type *set*.
##
## Portmapper is a service running on top of RPC. See `Wikipedia
## <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
## service.
##
## r: The RPC connection.
##
## status: The status of the reply, which should be one of the index values of
## :bro:id:`RPC_status`.
##
## m: The argument to the original request.
##
## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
## pm_attempt_null pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump
## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%);
## Generated for failed Portmapper requests of type *unset*.
##
## Portmapper is a service running on top of RPC. See `Wikipedia
## <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
## service.
##
## r: The RPC connection.
##
## status: The status of the reply, which should be one of the index values of
## :bro:id:`RPC_status`.
##
## m: The argument to the original request.
##
## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
## pm_attempt_null pm_attempt_set pm_bad_port pm_request_callit pm_request_dump
## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%);
## Generated for failed Portmapper requests of type *getport*.
##
## Portmapper is a service running on top of RPC. See `Wikipedia
## <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
## service.
##
## r: The RPC connection.
##
## status: The status of the reply, which should be one of the index values of
## :bro:id:`RPC_status`.
##
## pr: The argument to the original request.
##
## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_null
## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump
## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request%);
## Generated for failed Portmapper requests of type *dump*.
##
## Portmapper is a service running on top of RPC. See `Wikipedia
## <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
## service.
##
## r: The RPC connection.
##
## status: The status of the reply, which should be one of the index values of
## :bro:id:`RPC_status`.
##
## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_getport pm_attempt_null
## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump
## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event pm_attempt_dump%(r: connection, status: rpc_status%);
## Generated for failed Portmapper requests of type *callit*.
##
## Portmapper is a service running on top of RPC. See `Wikipedia
## <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
## service.
##
## r: The RPC connection.
##
## status: The status of the reply, which should be one of the index values of
## :bro:id:`RPC_status`.
##
## call: The argument to the original request.
##
## .. bro:see:: epm_map_response pm_attempt_dump pm_attempt_getport pm_attempt_null
## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump
## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_request%);
## Generated for Portmapper requests or replies that include an invalid port
## number. Since ports are represented by unsigned 4-byte integers, they can stray
## outside the allowed range of 0--65535 by being >= 65536. If so, this event is
## generated.
##
## Portmapper is a service running on top of RPC. See `Wikipedia
## <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
## service.
##
## r: The RPC connection.
##
## bad_p: The invalid port value.
##
## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
## pm_attempt_null pm_attempt_set pm_attempt_unset pm_request_callit
## pm_request_dump pm_request_getport pm_request_null pm_request_set
## pm_request_unset rpc_call rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event pm_bad_port%(r: connection, bad_p: count%);
## Generated for NFSv3 request/reply dialogues of type *null*. The event is
## generated once we have either seen both the request and its corresponding reply,
## or an unanswered request has timed out.
##
## NFS is a service running on top of RPC. See `Wikipedia
## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
## information about the service.
##
## c: The RPC connection.
##
## info: Reports the status of the dialogue, along with some meta information.
##
## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
## nfs_proc_not_implemented nfs_proc_read nfs_proc_readdir nfs_proc_readlink
## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event nfs_proc_null%(c: connection, info: NFS3::info_t%);
## Generated for NFSv3 request/reply dialogues of type *getattr*. The event is
## generated once we have either seen both the request and its corresponding reply,
## or an unanswered request has timed out.
##
## NFS is a service running on top of RPC. See `Wikipedia
## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
## information about the service.
##
## c: The RPC connection.
##
## info: Reports the status of the dialogue, along with some meta information.
##
## attr: The attributes returned in the reply. The values may not be valid if the
## request was unsuccessful.
##
## .. bro:see:: nfs_proc_create nfs_proc_lookup nfs_proc_mkdir
## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
## rpc_call rpc_dialogue rpc_reply NFS3::mode2string
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t%);
## Generated for NFSv3 request/reply dialogues of type *lookup*. The event is
## generated once we have either seen both the request and its corresponding reply,
## or an unanswered request has timed out.
##
## NFS is a service running on top of RPC. See `Wikipedia
## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
## information about the service.
##
## c: The RPC connection.
##
## info: Reports the status of the dialogue, along with some meta information.
##
## req: The arguments passed in the request.
##
## rep: The response returned in the reply. The values may not be valid if the
## request was unsuccessful.
##
## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_mkdir
## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
## rpc_call rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::lookup_reply_t%);
## Generated for NFSv3 request/reply dialogues of type *read*. The event is
## generated once we have either seen both the request and its corresponding reply,
## or an unanswered request has timed out.
##
## NFS is a service running on top of RPC. See `Wikipedia
## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
## information about the service.
##
## c: The RPC connection.
##
## info: Reports the status of the dialogue, along with some meta information.
##
## req: The arguments passed in the request.
##
## rep: The response returned in the reply. The values may not be valid if the
## request was unsuccessful.
##
## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
## nfs_proc_not_implemented nfs_proc_null nfs_proc_remove nfs_proc_rmdir
## nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply
## NFS3::return_data NFS3::return_data_first_only NFS3::return_data_max
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, rep: NFS3::read_reply_t%);
## Generated for NFSv3 request/reply dialogues of type *readlink*. The event is
## generated once we have either seen both the request and its corresponding reply,
## or an unanswered request has timed out.
##
## NFS is a service running on top of RPC. See `Wikipedia
## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
## information about the service.
##
## c: The RPC connection.
##
## info: Reports the status of the dialogue, along with some meta information.
##
## fh: The file handle passed in the request.
##
## rep: The response returned in the reply. The values may not be valid if the
## request was unsuccessful.
##
## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t%);
## Generated for NFSv3 request/reply dialogues of type *write*. The event is
## generated once we have either seen both the request and its corresponding reply,
## or an unanswered request has timed out.
##
## NFS is a service running on top of RPC. See `Wikipedia
## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
## information about the service.
##
## c: The RPC connection.
##
## info: Reports the status of the dialogue, along with some meta information.
##
## fh: The file handle passed in the request.
##
## rep: The response returned in the reply. The values may not be valid if the
## request was unsuccessful.
##
## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_reply_status rpc_call
## rpc_dialogue rpc_reply NFS3::return_data NFS3::return_data_first_only
## NFS3::return_data_max
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, rep: NFS3::write_reply_t%);
## Generated for NFSv3 request/reply dialogues of type *create*. The event is
## generated once we have either seen both the request and its corresponding reply,
## or an unanswered request has timed out.
##
## NFS is a service running on top of RPC. See `Wikipedia
## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
## information about the service.
##
## c: The RPC connection.
##
## info: Reports the status of the dialogue, along with some meta information.
##
## fh: The file handle passed in the request.
##
## rep: The response returned in the reply. The values may not be valid if the
## request was unsuccessful.
##
## .. bro:see:: nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
## rpc_call rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%);
## Generated for NFSv3 request/reply dialogues of type *mkdir*. The event is
## generated once we have either seen both the request and its corresponding reply,
## or an unanswered request has timed out.
##
## NFS is a service running on top of RPC. See `Wikipedia
## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
## information about the service.
##
## c: The RPC connection.
##
## info: Reports the status of the dialogue, along with some meta information.
##
## fh: The file handle passed in the request.
##
## rep: The response returned in the reply. The values may not be valid if the
## request was unsuccessful.
##
## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup
## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
## rpc_call rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%);
## Generated for NFSv3 request/reply dialogues of type *remove*. The event is
## generated once we have either seen both the request and its corresponding reply,
## or an unanswered request has timed out.
##
## NFS is a service running on top of RPC. See `Wikipedia
## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
## information about the service.
##
## c: The RPC connection.
##
## info: Reports the status of the dialogue, along with some meta information.
##
## fh: The file handle passed in the request.
##
## rep: The response returned in the reply. The values may not be valid if the
## request was unsuccessful.
##
## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
## nfs_proc_readlink nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%);
## Generated for NFSv3 request/reply dialogues of type *rmdir*. The event is
## generated once we have either seen both the request and its corresponding reply,
## or an unanswered request has timed out.
##
## NFS is a service running on top of RPC. See `Wikipedia
## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
## information about the service.
##
## c: The RPC connection.
##
## info: Reports the status of the dialogue, along with some meta information.
##
## fh: The file handle passed in the request.
##
## rep: The response returned in the reply. The values may not be valid if the
## request was unsuccessful.
##
## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
## nfs_proc_readlink nfs_proc_remove nfs_proc_write nfs_reply_status rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%);
## Generated for NFSv3 request/reply dialogues of type *readdir*. The event is
## generated once we have either seen both the request and its corresponding reply,
## or an unanswered request has timed out.
##
## NFS is a service running on top of RPC. See `Wikipedia
## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
## information about the service.
##
## c: The RPC connection.
##
## info: Reports the status of the dialogue, along with some meta information.
##
## fh: The file handle passed in the request.
##
## rep: The response returned in the reply. The values may not be valid if the
## request was unsuccessful.
##
## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readlink
## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirargs_t, rep: NFS3::readdir_reply_t%);
## Generated for NFS3 request/reply dialogues of a type that Bro's NFS3 analyzer
## does not implement.
##
## NFS is a service running on top of RPC. See `Wikipedia
## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
## information about the service.
##
## c: The RPC connection.
##
## info: Reports the status of the dialogue, along with some meta information.
##
## proc: The procedure called that Bro does not implement.
##
## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
## nfs_proc_null nfs_proc_read nfs_proc_readdir nfs_proc_readlink nfs_proc_remove
## nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::proc_t%);
## Generated for each NFS3 reply message received, reporting just the
## status included.
##
## info: Reports the status included in the reply.
##
## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event nfs_reply_status%(n: connection, info: NFS3::info_t%);
## Generated for all NTP messages. Different from many other of Bro's events, this
## one is generated for both client-side and server-side messages.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Network_Time_Protocoll>`__ for more
## information about the NTP protocol.
##
## u: The connection record describing the corresponding UDP flow.
##
## msg: The parsed NTP message.
##
## excess: The raw bytes of any optional parts of the NTP packet. Bro does not
## further parse any optional fields.
##
## .. bro:see:: ntp_session_timeout
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event ntp_message%(u: connection, msg: ntp_msg, excess: string%);
## Generated for all NetBIOS SSN and DGM messages. Bro's NetBIOS analyzer processes
## the NetBIOS session service running on TCP port 139, and (despite its name!) the
## NetBIOS datagram service on UDP port 138.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
## about NetBIOS. `RFC 1002 <http://tools.ietf.org/html/rfc1002>`__ describes
## the packet format for NetBIOS over TCP/IP, which Bro parses.
##
## c: The connection, which may be a TCP or UDP, depending on the type of the
## NetBIOS session.
##
## is_orig: True if the message was sent by the originator of the connection.
##
## msg_type: The general type of message, as defined in Section 4.3.1 of `RFC 1002
## <http://tools.ietf.org/html/rfc1002>`__.
##
## data_len: The length of the message's payload.
##
## .. bro:see:: netbios_session_accepted netbios_session_keepalive
## netbios_session_raw_message netbios_session_rejected netbios_session_request
## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
##
## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's SMB
## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, data_len: count%);
## Generated for NetBIOS messages of type *session request*. Bro's NetBIOS analyzer
## processes the NetBIOS session service running on TCP port 139, and (despite its
## name!) the NetBIOS datagram service on UDP port 138.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
## about NetBIOS. `RFC 1002 <http://tools.ietf.org/html/rfc1002>`__ describes
## the packet format for NetBIOS over TCP/IP, which Bro parses.
##
## c: The connection, which may be a TCP or UDP, depending on the type of the
## NetBIOS session.
##
## msg: The raw payload of the message sent, excluding the common NetBIOS
## header.
##
## .. bro:see:: netbios_session_accepted netbios_session_keepalive
## netbios_session_message netbios_session_raw_message netbios_session_rejected
## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
##
## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's SMB
## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event netbios_session_request%(c: connection, msg: string%);
## Generated for NetBIOS messages of type *positive session response*. Bro's
## NetBIOS analyzer processes the NetBIOS session service running on TCP port 139,
## and (despite its name!) the NetBIOS datagram service on UDP port 138.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
## about NetBIOS. `RFC 1002 <http://tools.ietf.org/html/rfc1002>`__ describes
## the packet format for NetBIOS over TCP/IP, which Bro parses.
##
## c: The connection, which may be a TCP or UDP, depending on the type of the
## NetBIOS session.
##
## msg: The raw payload of the message sent, excluding the common NetBIOS
## header.
##
## .. bro:see:: netbios_session_keepalive netbios_session_message
## netbios_session_raw_message netbios_session_rejected netbios_session_request
## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
##
## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's SMB
## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event netbios_session_accepted%(c: connection, msg: string%);
## Generated for NetBIOS messages of type *negative session response*. Bro's
## NetBIOS analyzer processes the NetBIOS session service running on TCP port 139,
## and (despite its name!) the NetBIOS datagram service on UDP port 138.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
## about NetBIOS. `RFC 1002 <http://tools.ietf.org/html/rfc1002>`__ describes
## the packet format for NetBIOS over TCP/IP, which Bro parses.
##
## c: The connection, which may be a TCP or UDP, depending on the type of the
## NetBIOS session.
##
## msg: The raw payload of the message sent, excluding the common NetBIOS
## header.
##
## .. bro:see:: netbios_session_accepted netbios_session_keepalive
## netbios_session_message netbios_session_raw_message netbios_session_request
## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
##
## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's SMB
## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event netbios_session_rejected%(c: connection, msg: string%);
## Generated for NetBIOS message of type *session message* that are not carrying
## SMB payload.
##
## NetBIOS analyzer processes the NetBIOS session service running on TCP port 139,
## and (despite its name!) the NetBIOS datagram service on UDP port 138.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
## about NetBIOS. `RFC 1002 <http://tools.ietf.org/html/rfc1002>`__ describes
## the packet format for NetBIOS over TCP/IP, which Bro parses.
##
## c: The connection, which may be a TCP or UDP, depending on the type of the
## NetBIOS session.
##
## is_orig: True if the message was sent by the originator of the connection.
##
## msg: The raw payload of the message sent, excluding the common NetBIOS
## header (i.e., the ``user_data``).
##
## .. bro:see:: netbios_session_accepted netbios_session_keepalive
## netbios_session_message netbios_session_rejected netbios_session_request
## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
##
## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's SMB
## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
##
## .. todo:: This is an oddly named event. In fact, it's probably an odd event to
## have to begin with.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%);
## Generated for NetBIOS messages of type *retarget response*. Bro's NetBIOS
## analyzer processes the NetBIOS session service running on TCP port 139, and
## (despite its name!) the NetBIOS datagram service on UDP port 138.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
## about NetBIOS. `RFC 1002 <http://tools.ietf.org/html/rfc1002>`__ describes
## the packet format for NetBIOS over TCP/IP, which Bro parses.
##
## c: The connection, which may be a TCP or UDP, depending on the type of the
## NetBIOS session.
##
## msg: The raw payload of the message sent, excluding the common NetBIOS header.
##
## .. bro:see:: netbios_session_accepted netbios_session_keepalive
## netbios_session_message netbios_session_raw_message netbios_session_rejected
## netbios_session_request decode_netbios_name decode_netbios_name_type
##
## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's SMB
## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
##
## .. todo: This is an oddly named event.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event netbios_session_ret_arg_resp%(c: connection, msg: string%);
## Generated for NetBIOS messages of type *keep-alive*. Bro's NetBIOS analyzer
## processes the NetBIOS session service running on TCP port 139, and (despite its
## name!) the NetBIOS datagram service on UDP port 138.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
## about NetBIOS. `RFC 1002 <http://tools.ietf.org/html/rfc1002>`__ describes
## the packet format for NetBIOS over TCP/IP, which Bro parses.
##
## c: The connection, which may be a TCP or UDP, depending on the type of the
## NetBIOS session.
##
## msg: The raw payload of the message sent, excluding the common NetBIOS header.
##
## .. bro:see:: netbios_session_accepted netbios_session_message
## netbios_session_raw_message netbios_session_rejected netbios_session_request
## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
##
## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's SMB
## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event netbios_session_keepalive%(c: connection, msg: string%);
## Generated for all SMB/CIFS messages.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
##
## c: The connection.
##
## hdr: The parsed header of the SMB message.
##
## is_orig: True if the message was sent by the originator of the underlying
## transport-level connection.
##
## cmd: A string mmenonic of the SMB command code.
##
## body_length: The length of the SMB message body, i.e. the data starting after
## the SMB header.
##
## body: The raw SMB message body, i.e., the data starting after the SMB header.
##
## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2
## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error
## smb_get_dfs_referral
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event smb_message%(c: connection, hdr: smb_hdr, is_orig: bool, cmd: string, body_length: count, body: string%);
## Generated for SMB/CIFS messages of type *tree connect andx*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
##
## c: The connection.
##
## hdr: The parsed header of the SMB message.
##
## path: The ``path`` attribute specified in the message.
##
## service: The ``service`` attribute specified in the message.
##
## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2
## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
## smb_message
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event smb_com_tree_connect_andx%(c: connection, hdr: smb_hdr, path: string, service: string%);
## Generated for SMB/CIFS messages of type *tree disconnect*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
##
## c: The connection.
##
## hdr: The parsed header of the SMB message.
##
## path: The ``path`` attribute specified in the message.
##
## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2
## smb_com_tree_connect_andx smb_com_write_andx smb_error smb_get_dfs_referral
## smb_message
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event smb_com_tree_disconnect%(c: connection, hdr: smb_hdr%);
## Generated for SMB/CIFS messages of type *nt create andx*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
##
## c: The connection.
##
## hdr: The parsed header of the SMB message.
##
## name: The ``name`` attribute specified in the message.
##
## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
## smb_com_negotiate smb_com_negotiate_response smb_com_read_andx
## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx
## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
## smb_message
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event smb_com_nt_create_andx%(c: connection, hdr: smb_hdr, name: string%);
## Generated for SMB/CIFS messages of type *nt transaction*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
##
## c: The connection.
##
## hdr: The parsed header of the SMB message.
##
## trans: The parsed transaction header.
##
## data: The raw transaction data.
##
## is_orig: True if the message was sent by the originator of the connection.
##
## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe
## smb_com_trans_rap smb_com_transaction2 smb_com_tree_connect_andx
## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
## smb_message
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event smb_com_transaction%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%);
## Generated for SMB/CIFS messages of type *nt transaction 2*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
##
## c: The connection.
##
## hdr: The parsed header of the SMB message.
##
## trans: The parsed transaction header.
##
## data: The raw transaction data.
##
## is_orig: True if the message was sent by the originator of the connection.
##
## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe
## smb_com_trans_rap smb_com_transaction smb_com_tree_connect_andx
## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
## smb_message
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event smb_com_transaction2%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%);
## Generated for SMB/CIFS messages of type *transaction mailslot*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
##
## c: The connection.
##
## hdr: The parsed header of the SMB message.
##
## trans: The parsed transaction header.
##
## data: The raw transaction data.
##
## is_orig: True if the message was sent by the originator of the connection.
##
## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
## smb_com_read_andx smb_com_setup_andx smb_com_trans_pipe smb_com_trans_rap
## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx
## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
## smb_message
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event smb_com_trans_mailslot%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%);
## Generated for SMB/CIFS messages of type *transaction rap*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
##
## c: The connection.
##
## hdr: The parsed header of the SMB message.
##
## trans: The parsed transaction header.
##
## data: The raw transaction data.
##
## is_orig: True if the message was sent by the originator of the connection.
##
## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
## smb_com_trans_pipe smb_com_transaction smb_com_transaction2
## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error
## smb_get_dfs_referral smb_message
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event smb_com_trans_rap%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%);
## Generated for SMB/CIFS messages of type *transaction pipe*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
##
## c: The connection.
##
## hdr: The parsed header of the SMB message.
##
## trans: The parsed transaction header.
##
## data: The raw transaction data.
##
## is_orig: True if the message was sent by the originator of the connection.
##
## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_rap
## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx
## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
## smb_message
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event smb_com_trans_pipe%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%);
## Generated for SMB/CIFS messages of type *read andx*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
##
## c: The connection.
##
## hdr: The parsed header of the SMB message.
##
## data: Always empty.
##
## is_orig: True if the message was sent by the originator of the connection.
##
## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx
## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
## smb_message
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event smb_com_read_andx%(c: connection, hdr: smb_hdr, data: string%);
## Generated for SMB/CIFS messages of type *read andx*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
##
## c: The connection.
##
## hdr: The parsed header of the SMB message.
##
## data: Always empty.
##
## is_orig: True if the message was sent by the originator of the connection.
##
## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2
## smb_com_tree_connect_andx smb_com_tree_disconnect smb_error
## smb_get_dfs_referral smb_message
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event smb_com_write_andx%(c: connection, hdr: smb_hdr, data: string%);
## Generated for SMB/CIFS messages of type *get dfs referral*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
##
## c: The connection.
##
## hdr: The parsed header of the SMB message.
##
## max_referral_level: The ``max_referral_level`` attribute specified in the
## message.
##
## file_name: The ``filene_name`` attribute specified in the message.
##
## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2
## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error
## smb_message
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event smb_get_dfs_referral%(c: connection, hdr: smb_hdr, max_referral_level: count, file_name: string%);
## Generated for SMB/CIFS messages of type *negotiate*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
##
## c: The connection.
##
## hdr: The parsed header of the SMB message.
##
## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx smb_com_setup_andx
## smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap smb_com_transaction
## smb_com_transaction2 smb_com_tree_connect_andx smb_com_tree_disconnect
## smb_com_write_andx smb_error smb_get_dfs_referral smb_message
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event smb_com_negotiate%(c: connection, hdr: smb_hdr%);
## Generated for SMB/CIFS messages of type *negotiate response*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
##
## c: The connection.
##
## hdr: The parsed header of the SMB message.
##
## dialect_index: The ``dialect`` indicated in the message.
##
## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
## smb_com_negotiate smb_com_nt_create_andx smb_com_read_andx smb_com_setup_andx
## smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap smb_com_transaction
## smb_com_transaction2 smb_com_tree_connect_andx smb_com_tree_disconnect
## smb_com_write_andx smb_error smb_get_dfs_referral smb_message
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event smb_com_negotiate_response%(c: connection, hdr: smb_hdr, dialect_index: count%);
## Generated for SMB/CIFS messages of type *setup andx*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
##
## c: The connection.
##
## hdr: The parsed header of the SMB message.
##
## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
## smb_com_read_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx
## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
## smb_message
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event smb_com_setup_andx%(c: connection, hdr: smb_hdr%);
## Generated for SMB/CIFS messages of type *generic andx*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
##
## c: The connection.
##
## hdr: The parsed header of the SMB message.
##
## .. bro:see:: smb_com_close smb_com_logoff_andx smb_com_negotiate
## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx
## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx
## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
## smb_message
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event smb_com_generic_andx%(c: connection, hdr: smb_hdr%);
## Generated for SMB/CIFS messages of type *close*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
##
## c: The connection.
##
## hdr: The parsed header of the SMB message.
##
## .. bro:see:: smb_com_generic_andx smb_com_logoff_andx smb_com_negotiate
## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx
## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx
## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
## smb_message
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event smb_com_close%(c: connection, hdr: smb_hdr%);
## Generated for SMB/CIFS messages of type *logoff andx*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more
## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both
## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
##
## c: The connection.
##
## hdr: The parsed header of the SMB message.
##
## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_negotiate
## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx
## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx
## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
## smb_message
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event smb_com_logoff_andx%(c: connection, hdr: smb_hdr%);
## Generated for SMB/CIFS messages that indicate an error. This event is triggered
## by an SMB header including a status that signals an error.
##
## c: The connection.
##
## hdr: The parsed header of the SMB message.
##
## cmd: The SMB command code.
##
## cmd_str: A string mmenonic of the SMB command code.
##
## body: The raw SMB message body, i.e., the data starting after the SMB header.
##
## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2
## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx
## smb_get_dfs_referral smb_message
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event smb_error%(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data: string%);
## Generated for all DNS messages.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## is_orig: True if the message was sent by the originator of the connection.
##
## msg: The parsed DNS message header.
##
## len: The length of the message's raw representation (i.e, the DNS payload).
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_query_reply dns_rejected
## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%) &group="dns";
## Generated for DNS requests. For requests with multiple queries, this event
## is raised once for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## query: The queried name.
##
## qtype: The queried resource record type.
##
## qclass: The queried resource record class.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%) &group="dns";
## Generated for DNS replies that reject a query. This event is raised if a DNS
## reply either indicates failure via its status code or does not pass on any
## answers to a query. Note that all of the event's paramaters are parsed out of
## the reply; there's no stateful correlation with the query.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## query: The queried name.
##
## qtype: The queried resource record type.
##
## qclass: The queried resource record class.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%) &group="dns";
## Generated for DNS replies with an *ok* status code but no question section.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## query: The queried name.
##
## qtype: The queried resource record type.
##
## qclass: The queried resource record class.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_rejected
## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_query_reply%(c: connection, msg: dns_msg, query: string,
qtype: count, qclass: count%) &group="dns";
## Generated when the DNS analyzer processes what seems to be a non-DNS packets.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The raw DNS payload.
##
## .. note:: This event is deprecated and superseded by Bro's dynamic protocol
## detection framework.
event non_dns_request%(c: connection, msg: string%) &group="dns";
## Generated for DNS replies of type *A*. For replies with multiple answers, an
## individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The type-independent part of the parsed answer record.
##
## a: The address returned by the reply.
##
## .. bro:see:: dns_AAAA_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply
## dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
##
## .. note: This event is currently also raised for ``AAAA`` records. In that
## case, the address *a* will correspond to the lower-order 4 bytes of the
## IPv6 address. This will go away once IPv6 support is improved.
##
## .. todo: IPv6 handling is obviously very broken here ...
event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &group="dns";
## Generated for DNS replies of type *AAAA*. For replies with multiple answers, an
## individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The type-independent part of the parsed answer record.
##
## a: The address returned by the reply.
##
## .. bro:see:: dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
##
## .. todo: Raising this event is not implemented currently, not even when
## Bro's compiled IPv6 support. ``AAAA`` are currently always turned into
## :bro:id:`dns_A_reply` events.
event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr, astr: string%) &group="dns";
## Generated for DNS replies of type *NS*. For replies with multiple answers, an
## individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The type-independent part of the parsed answer record.
##
## name: The name returned by the reply.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns";
## Generated for DNS replies of type *CNAME*. For replies with multiple answers,
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The type-independent part of the parsed answer record.
##
## name: The name returned by the reply.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns";
## Generated for DNS replies of type *PTR*. For replies with multiple answers,
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The type-independent part of the parsed answer record.
##
## name: The name returned by the reply.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_SOA_reply dns_SRV_reply
## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns";
## Generated for DNS replies of type *CNAME*. For replies with multiple answers,
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The type-independent part of the parsed answer record.
##
## soa: The parsed SOA value
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SRV_reply
## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%) &group="dns";
## Generated for DNS replies of type *WKS*. For replies with multiple answers, an
## individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The type-independent part of the parsed answer record.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns";
## Generated for DNS replies of type *HINFO*. For replies with multiple answers, an
## individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The type-independent part of the parsed answer record.
##
## name: The name returned by the reply.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply
## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns";
## Generated for DNS replies of type *MX*. For replies with multiple answers, an
## individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The type-independent part of the parsed answer record.
##
## name: The name returned by the reply.
##
## preference: The preference for *name* specificed by the reply.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count%) &group="dns";
## Generated for DNS replies of type *TXT*. For replies with multiple answers, an
## individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The type-independent part of the parsed answer record.
##
## str: The textual information returned by the reply.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_WKS_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%) &group="dns";
## Generated for DNS replies of type *SRV*. For replies with multiple answers, an
## individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The type-independent part of the parsed answer record.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns";
## Generated for DNS replies of type *EDNS*. For replies with multiple answers, an
## individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The parsed EDNS reply.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply
## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%) &group="dns";
## Generated for DNS replies of type *TSIG*. For replies with multiple answers, an
## individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The parsed TSIG reply.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TXT_reply dns_WKS_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%) &group="dns";
## Generated at the end of processing a DNS packet. This event is the last
## ``dns_*`` event that will be raised for a DNS query/reply and signals that
## all resource records have been passed on.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_end%(c: connection, msg: dns_msg%) &group="dns";
## Generated for DHCP messages of type *discover*.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for more
## information about the DHCP protocol.
##
## c: The connection record describing the underlying UDP flow..
##
## msg: The parsed type-indepedent part of the DHCP message.
##
## req_addr: The specific address requested by the client.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
##
## .. note: Bro does not support broadcast packets (as used by the DHCP protocol).
## It treats broadcast addresses just like any other and associates packets into
## transport-level flows in the same way as usual.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr%);
## Generated for DHCP messages of type *offer*.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for more
## information about the DHCP protocol.
##
## c: The connection record describing the underlying UDP flow..
##
## mask: The subnet mask specified by the mesage.
##
## router: The list of routers specified by the message.
##
## lease: The least interval specificed by the message.
##
## serv_addr: The server address specified by the message.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request
##
## .. note: Bro does not support broadcast packets (as used by the DHCP protocol).
## It treats broadcast addresses just like any other and associates packets into
## transport-level flows in the same way as usual.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%);
## Generated for DHCP messages of type *request*.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for more
## information about the DHCP protocol.
##
## c: The connection record describing the underlying UDP flow..
##
## msg: The parsed type-indepedent part of the DHCP message.
##
## req_addr: The client address specified by the message.
##
## serv_addr: The server address specified by the message.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request
##
## .. note: Bro does not support broadcast packets (as used by the DHCP protocol).
## It treats broadcast addresses just like any other and associates packets into
## transport-level flows in the same way as usual.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr%);
## Generated for DHCP messages of type *decline*.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for more
## information about the DHCP protocol.
##
## c: The connection record describing the underlying UDP flow..
##
## msg: The parsed type-indepedent part of the DHCP message.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request
##
## .. note: Bro does not support broadcast packets (as used by the DHCP protocol).
## It treats broadcast addresses just like any other and associates packets into
## transport-level flows in the same way as usual.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event dhcp_decline%(c: connection, msg: dhcp_msg%);
## Generated for DHCP messages of type *acknowledgment*.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for more
## information about the DHCP protocol.
##
## c: The connection record describing the underlying UDP flow..
##
## msg: The parsed type-indepedent part of the DHCP message.
##
## mask: The subnet mask specified by the mesage.
##
## router: The list of routers specified by the message.
##
## lease: The least interval specificed by the message.
##
## serv_addr: The server address specified by the message.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request
##
## .. note: Bro does not support broadcast packets (as used by the DHCP protocol).
## It treats broadcast addresses just like any other and associates packets into
## transport-level flows in the same way as usual.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%);
## Generated for DHCP messages of type *negative acknowledgment*.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for more
## information about the DHCP protocol.
##
## c: The connection record describing the underlying UDP flow..
##
## msg: The parsed type-indepedent part of the DHCP message.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request
##
## .. note: Bro does not support broadcast packets (as used by the DHCP protocol).
## It treats broadcast addresses just like any other and associates packets into
## transport-level flows in the same way as usual.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event dhcp_nak%(c: connection, msg: dhcp_msg%);
## Generated for DHCP messages of type *release*.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for more
## information about the DHCP protocol.
##
## c: The connection record describing the underlying UDP flow..
##
## msg: The parsed type-indepedent part of the DHCP message.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request
##
## .. note: Bro does not support broadcast packets (as used by the DHCP protocol).
## It treats broadcast addresses just like any other and associates packets into
## transport-level flows in the same way as usual.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event dhcp_release%(c: connection, msg: dhcp_msg%);
## Generated for DHCP messages of type *inform*.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for more
## information about the DHCP protocol.
##
## c: The connection record describing the underlying UDP flow..
##
## msg: The parsed type-indepedent part of the DHCP message.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request
##
## .. note: Bro does not support broadcast packets (as used by the DHCP protocol).
## It treats broadcast addresses just like any other and associates packets into
## transport-level flows in the same way as usual.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event dhcp_inform%(c: connection, msg: dhcp_msg%);
## Generated for HTTP requests. Bro supports persistent and pipelined HTTP sessions
## and raises corresponding events as it parses client/server dialogues. This event
## is generated as soon as a request's initial line has been parsed, and before any
## :bro:id:`http_header` events are raised.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__ for
## more information about the HTTP protocol.
##
## c: The connection.
##
## method: The HTTP method extracted from the request (e.g., ``GET``, ``POST``).
##
## original_URI: The unprocessed URI as specified in the request.
##
## unescaped_URI: The URI with all percent-encodings decoded.
##
## version: The version number specified in the request (e.g., ``1.1``).
##
## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
## http_entity_data http_event http_header http_message_done http_reply http_stats
## truncate_http_URI
event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%) &group="http-request";
## Generated for HTTP replies. Bro supports persistent and pipelined HTTP sessions
## and raises corresponding events as it parses client/server dialogues. This event
## is generated as soon as a reply's initial line has been parsed, and before any
## :bro:id:`http_header` events are raised.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__ for
## more information about the HTTP protocol.
##
## c: The connection.
##
## version: The version number specified in the reply (e.g., ``1.1``).
##
## code: The numerical response code returned by the server.
##
## reason: The textual description returned by the server along with *code*.
##
## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
## http_entity_data http_event http_header http_message_done http_request
## http_stats
event http_reply%(c: connection, version: string, code: count, reason: string%) &group="http-reply";
## Generated for HTTP headers. Bro supports persistent and pipelined HTTP sessions
## and raises corresponding events as it parses client/server dialogues.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__ for
## more information about the HTTP protocol.
##
## c: The connection.
##
## is_orig: True if the header was sent by the originator of the TCP connection.
##
## name: The name of the header.
##
## value: The value of the header.
##
## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
## http_entity_data http_event http_message_done http_reply http_request
## http_stats
##
## .. note:: This event is also raised for headers found in nested body entities.
event http_header%(c: connection, is_orig: bool, name: string, value: string%) &group="http-header";
## Generated for HTTP headers, passing on all headers of an HTTP message at once.
## Bro supports persistent and pipelined HTTP sessions and raises corresponding
## events as it parses client/server dialogues.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__ for
## more information about the HTTP protocol.
##
## c: The connection.
##
## is_orig: True if the header was sent by the originator of the TCP connection.
##
## hlist: A *table* containing all headers extracted from the current entity.
## The table is indexed by the position of the header (1 for the first, 2 for the
## second, etc.).
##
## .. bro:see:: http_begin_entity http_content_type http_end_entity http_entity_data
## http_event http_header http_message_done http_reply http_request http_stats
##
## .. note:: This event is also raised for headers found in nested body entities.
event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%) &group="http-header";
## Generated when starting to parse an HTTP body entity. This event is generated
## at least once for each non-empty (client or server) HTTP body; and potentially
## more than once if the body contains further nested MIME entities. Bro raises
## this event just before it starts parsing each entity's content.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__ for
## more information about the HTTP protocol.
##
## c: The connection.
##
## is_orig: True if the entity was was sent by the originator of the TCP
## connection.
##
## .. bro:see:: http_all_headers http_content_type http_end_entity http_entity_data
## http_event http_header http_message_done http_reply http_request http_stats
## mime_begin_entity
event http_begin_entity%(c: connection, is_orig: bool%) &group="http-body";
## Generated when finishing parsing an HTTP body entity. This event is generated
## at least once for each non-empty (client or server) HTTP body; and potentially
## more than once if the body contains further nested MIME entities. Bro raises
## this event at the point when it has finished parsing an entity's content.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__ for
## more information about the HTTP protocol.
##
## c: The connection.
##
## is_orig: True if the entity was was sent by the originator of the TCP
## connection.
##
## .. bro:see:: http_all_headers http_begin_entity http_content_type http_entity_data
## http_event http_header http_message_done http_reply http_request
## http_stats mime_end_entity
event http_end_entity%(c: connection, is_orig: bool%) &group="http-body";
## Generated when parsing an HTTP body entity, passing on the data. This event
## can potentially be raised many times for each entity, each time passing a
## chunk of the data of not further defined size.
##
## A common idiom for using this event is to first *reassemble* the data
## at the scripting layer by concatening it to a successvily growing
## string; and only perform further content analysis once the corresponding
## :bro:id:`http_end_entity` event has been raised. Note, however, that doing so
## can be quite expensive for HTTP tranders. At the very least, one should
## impose an upper size limit on how much data is being buffered.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__ for
## more information about the HTTP protocol.
##
## c: The connection.
##
## is_orig: True if the entity was was sent by the originator of the TCP
## connection.
##
## length: The length of *data*.
##
## data: One chunk of raw entity data.
##
## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
## http_event http_header http_message_done http_reply http_request http_stats
## mime_entity_data http_entity_data_delivery_size skip_http_data
event http_entity_data%(c: connection, is_orig: bool, length: count, data: string%) &group="http-body";
## Generated for reporting an HTTP bodie's content type. This event is
## generated at the end of parsing an HTTP header, passing on the MIME
## type as specified by the ``Content-Type`` header. If that header is
## missing, this event is still raised with a default value of ``text/plain``.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__ for
## more information about the HTTP protocol.
##
## c: The connection.
##
## is_orig: True if the entity was was sent by the originator of the TCP
## connection.
##
## ty: The main type.
##
## subty: The subtype.
##
## .. bro:see:: http_all_headers http_begin_entity http_end_entity http_entity_data
## http_event http_header http_message_done http_reply http_request http_stats
##
## .. note:: This event is also raised for headers found in nested body
## entities.
event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string%) &group="http-body";
## Generated once at the end of parsing an HTTP message. Bro supports persistent
## and pipelined HTTP sessions and raises corresponding events as it parses
## client/server dialogues. A "message" is one top-level HTTP entity, such as a
## complete request or reply. Each message can have further nested sub-entities
## inside. This event is raised once all sub-entities belonging to a top-level
## message have been processed (and their corresponding ``http_entity_*`` events
## generated).
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__ for
## more information about the HTTP protocol.
##
## c: The connection.
##
## is_orig: True if the entity was was sent by the originator of the TCP
## connection.
##
## stat: Further meta information about the message.
##
## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
## http_entity_data http_event http_header http_reply http_request http_stats
event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%) &group="http-body";
## Generated for errors found when decoding HTTP requests or replies.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__ for
## more information about the HTTP protocol.
##
## c: The connection.
##
## event_type: A string describing the general category of the problem found (e.g.,
## ``illegal format``).
##
## detail: Further more detailed description of the error.
##
## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
## http_entity_data http_header http_message_done http_reply http_request
## http_stats mime_event
event http_event%(c: connection, event_type: string, detail: string%);
## Generated at the end of an HTTP session to report statistics about it. This
## event is raised after all of an HTTP session's requests and replies have been
## fully processed.
##
## c: The connection.
##
## stats: Statistics summarizing HTTP-level properties of the finished connection.
##
## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
## http_entity_data http_event http_header http_message_done http_reply
## http_request
event http_stats%(c: connection, stats: http_stats_rec%);
## Generated when seeing an SSH client's version identification. The SSH protocol
## starts with a clear-test handshake message that reports client and server
## protocol/software versions. This event provides access to what the client
## sent.
##
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Secure_Shell>`__ for more
## information about the SSH protocol.
##
## c: The connection.
##
## version: The version string the client sent (e.g., `SSH-2.0-libssh-0.11`).
##
## .. bro:see:: ssh_server_version
##
## .. note:: As everything after the initial version handshake proceeds encrypted,
## Bro cannot further analyze SSH sessions.
event ssh_client_version%(c: connection, version: string%);
## Generated when seeing an SSH server's version identification. The SSH protocol
## starts with a clear-test handshake message that reports client and server
## protocol/software versions. This event provides access to what the server
## sent.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Secure_Shell>`__ for more
## information about the SSH protocol.
##
## c: The connection.
##
## version: The version string the server sent (e.g.,
## ``SSH-1.99-OpenSSH_3.9p1``).
##
## .. bro:see:: ssh_client_version
##
## .. note:: As everything coming after the initial version handshake proceeds
## encrypted, Bro cannot further analyze SSH sessions.
event ssh_server_version%(c: connection, version: string%);
## Generated for an SSL/TLS client's initial *hello* message. SSL/TLS sessions
## start with an unencrypted handshake, and Bro extracts as much information out
## that it as it can. This event provides access to the initial information sent by
## the client.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Transport_Layer_Security>`__ for
## more information about the SSL/TLS protocol.
##
## c: The connection.
##
## version: The protocol version as extracted from the client's
## message. The values are standardized as part of the SSL/TLS protocol. The
## :bro:id:`SSL::version_strings` table maps them to descriptive names.
##
## possible_ts: The current time as sent by the client. Note that SSL/TLS does not
## require clocks to be set correctly, so treat with care.
##
## session_id: The session ID sent by the client (if any).
##
## ciphers: The list of ciphers the client offered to use. The values are
## standardized as part of the SSL/TLS protocol. The :bro:id:`SSL::cipher_desc` table
## maps them to descriptive names.
##
## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello
## ssl_session_ticket_handshake x509_certificate x509_error x509_extension
## ssl_max_cipherspec_size
event ssl_client_hello%(c: connection, version: count, possible_ts: time, session_id: string, ciphers: count_set%);
## Generated for an SSL/TLS servers's initial *hello* message. SSL/TLS sessions
## start with an unencrypted handshake, and Bro extracts as much information out
## of that as it can. This event provides access to the initial information sent by
## the client.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Transport_Layer_Security>`__ for
## more information about the SSL/TLS protocol.
##
## c: The connection.
##
## version: The protocol version as extracted from the servers's message.
## The values are standardized as part of the SSL/TLS protocol. The
## :bro:id:`SSL::version_strings` table maps them to descriptive names.
##
## possible_ts: The current time as sent by the server. Note that SSL/TLS does not
## require clocks to be set correctly, so treat with care.
##
## session_id: The session ID as sent back by the server (if any).
##
## cipher: The cipher chosen by the server. The values are standardized as part
## of the SSL/TLS protocol. The :bro:id:`SSL::cipher_desc` table maps them to
## descriptive names.
##
## comp_method: The compression method chosen by the client. The values are
## standardized as part of the SSL/TLS protocol.
##
## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
## ssl_session_ticket_handshake x509_certificate x509_error x509_extension
## ssl_max_cipherspec_size
event ssl_server_hello%(c: connection, version: count, possible_ts: time, session_id: string, cipher: count, comp_method: count%);
## Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS sessions
## start with an unencrypted handshake, and Bro extracts as much information out of
## that as it can. This event provides access to any extensions either side sents
## as part of extended *hello* message.
##
## c: The connection.
##
## is_orig: True if event is raised for originator side of the connection.
##
## code: The numerical code of the extension. The values are standardized as
## part of the SSL/TLS protocol. The :bro:id:`SSL::extensions` table maps them to
## descriptive names.
##
## val: The raw extension value that was sent in the message.
##
## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
## ssl_session_ticket_handshake x509_certificate x509_error x509_extension
event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
## an unencrypted handshake, and Bro extracts as much information out of that as
## it can. This event signals the time when an SSL/TLS has finished the handshake
## and its endpoints consider it as fully established. Typically, everything from
## now on will be encrypted.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Transport_Layer_Security>`__ for
## more information about the SSL/TLS protocol.
##
## c: The connection.
##
## .. bro:see:: ssl_alert ssl_client_hello ssl_extension ssl_server_hello
## ssl_session_ticket_handshake x509_certificate x509_error x509_extension
event ssl_established%(c: connection%);
## Generated for SSL/TLS alert records. SSL/TLS sessions start with an unencrypted
## handshake, and Bro extracts as much information out of that as it can. If during
## that handshake, an endpoint encounteres a fatal error, it sends an *alert*
## record, that it turns triggers this event. After an *alert*, any endpoint
## may close the connection immediately.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Transport_Layer_Security>`__ for
## more information about the SSL/TLS protocol.
##
## c: The connection.
##
## is_orig: True if event is raised for originator side of the connection.
##
## level: The severity level, as sent in the *alert*. The values are defined as
## part of the SSL/TLS protocol.
##
## desc: A numerical value identifying the cause of the *alert*. The values are
## defined as part of the SSL/TLS protocol.
##
## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello
## ssl_session_ticket_handshake x509_certificate x509_error x509_extension
event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%);
## Generated for SSL/TLS handshake messages that are a part of the stateless-server
## session resumption mechanism. SSL/TLS sessions start with an unencrypted
## handshake, and Bro extracts as much information out of that as it can. This
## event is raised when an SSL/TLS server passes session ticket to the client that
## can later be used for resuming the session. The mechanism is described in
## :rfc:`4507`
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Transport_Layer_Security>`__ for
## more information about the SSL/TLS protocol.
##
## c: The connection.
##
## ticket_lifetime_hint: A hint from the server about how long the ticket
## should be stored by the client.
##
## ticket: The raw ticket data.
##
## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello
## x509_certificate x509_error x509_extension ssl_alert
event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ticket: string%);
## Generated for x509 certificates seen in SSL/TLS connections. During the initial
## SSL/TLS handshake, certificates are exchanged in the clear. Bro raises this
## event for each certificate seen (including both a site's primary cert, and
## further certs sent as part of the validation chain).
##
## See `Wikipedia <http://en.wikipedia.org/wiki/X.509>`__ for more information about
## the X.509 format.
##
## c: The connection.
##
## is_orig: True if event is raised for originator side of the connection.
##
## cert: The parsed certificate.
##
## chain_idx: The index in the validation chain that this cert has. Index zero
## indicates an endpoints primary cert, while higher indices
## indicate the place in the validation chain (which has length
## *chain_len*).
##
## chain_len: The total length of the validation chain that this cert is part
## of.
##
## der_cert: The complete cert encoded in `DER
## <http://en.wikipedia.org/wiki/Distinguished_Encoding_Rules>`__ format.
##
## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
## ssl_server_hello x509_error x509_extension x509_verify
event x509_certificate%(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string%);
## Generated for X.509 extensions seen in a certificate.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/X.509>`__ for more information about
## the X.509 format.
##
## c: The connection.
##
## is_orig: True if event is raised for originator side of the connection.
##
## data: The raw data associated with the extension.
##
## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
## ssl_server_hello x509_certificate x509_error x509_verify
event x509_extension%(c: connection, is_orig: bool, data: string%);
## Generated when errors occur during parsing an X.509 certificate.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/X.509>`__ for more information about
## the X.509 format.
##
## c: The connection.
##
## is_orig: True if event is raised for originator side of the connection.
##
## err: An error code describing what went wrong. :bro:id:`SSL::x509_errors` maps
## error codes to a textual description.
##
## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
## ssl_server_hello x509_certificate x509_extension x509_err2str x509_verify
event x509_error%(c: connection, is_orig: bool, err: count%);
## TODO.
##
## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_request
## dce_rpc_response rpc_timeout
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event dce_rpc_message%(c: connection, is_orig: bool, ptype: dce_rpc_ptype, msg: string%);
## TODO.
##
## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_message dce_rpc_request
## dce_rpc_response rpc_timeout
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event dce_rpc_bind%(c: connection, uuid: string%);
## TODO.
##
## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message
## dce_rpc_response rpc_timeout
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event dce_rpc_request%(c: connection, opnum: count, stub: string%);
## TODO.
##
## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message
## dce_rpc_request rpc_timeout
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event dce_rpc_response%(c: connection, opnum: count, stub: string%);
## TODO.
##
## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message
## dce_rpc_request dce_rpc_response rpc_timeout
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event epm_map_response%(c: connection, uuid: string, p: port, h: addr%);
## Generated for NCP requests (Netware Core Protocol).
##
## See `Wikipedia <http://en.wikipedia.org/wiki/NetWare_Core_Protocol>`__ for more
## information about the NCP protocol.
##
## c: The connection.
##
## frame_type: The frame type, as specified by the protocol.
##
## length: The length of the request body, excluding the frame header,
##
## func: The requested function, as specified by the protocol.
##
## .. bro:see:: ncp_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event ncp_request%(c: connection, frame_type: count, length: count, func: count%);
## Generated for NCP replies (Netware Core Protocol).
##
## See `Wikipedia <http://en.wikipedia.org/wiki/NetWare_Core_Protocol>`__ for more
## information about the NCP protocol.
##
## c: The connection.
##
## frame_type: The frame type, as specified by the protocol.
##
## length: The length of the request body, excluding the frame header,
##
## req_frame: The frame type from the corresponding request.
##
## req_frame: The function code from the corresponding request.
##
## completion_code: The replie's completion code, as specified by the protocol.
##
## .. bro:see:: ncp_request
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event ncp_reply%(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count%);
## Generated for client-side commands on POP3 connections.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information about
## the POP3 protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP connection.
##
## command: The command sent.
##
## arg: The argument to the command.
##
## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
## pop3_terminate pop3_unexpected
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event pop3_request%(c: connection, is_orig: bool,
command: string, arg: string%);
## Generated for server-side replies to commands on POP3 connections.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information about
## the POP3 protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP connection.
##
## cmd: The success indicator sent by the server. This corresponds to the
## first token on the line sent, and should be either ``OK`` or ``ERR``.
##
## msg: The textual description the server sent along with *cmd*.
##
## arg: The argument to the command.
##
## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_request
## pop3_terminate pop3_unexpected
##
## .. todo: This event is receiving odd parameters, should unify.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%);
## Generated for server-side multi-lines responses on POP3 connections. POP3
## connection use multi-line responses to send buld data, such as the actual
## mails. This event is generated once for each line that's part of such a
## response.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information about
## the POP3 protocol.
##
## c: The connection.
##
## is_orig: True if the data was sent by the originator of the TCP connection.
##
## data: The data sent.
##
## .. bro:see:: pop3_login_failure pop3_login_success pop3_reply pop3_request
## pop3_terminate pop3_unexpected
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event pop3_data%(c: connection, is_orig: bool, data: string%);
## Generated for errors encountered on POP3 sessions. If the POP3 analyzers finds
## state transition that do not confirm to the protocol specification, or other
## situations it can't handle, it raises this event.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information about
## the POP3 protocol.
##
## c: The connection.
##
## is_orig: True if the data was sent by the originator of the TCP connection.
##
## msg: A textual description of the situation.
##
## detail: The input that triggered the event.
##
## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request
## pop3_terminate
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event pop3_unexpected%(c: connection, is_orig: bool,
msg: string, detail: string%);
## Generated when POP3 connection go encrypted. While POP3 is by default a
## clear-text protocol, extensions exist to switch to encryption. This event is
## generated if that happens and the analyzers then stops processing the
## connection.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information about
## the POP3 protocol.
##
## c: The connection.
##
## is_orig: Always false.
##
## msg: A descriptive message why processing was stopped.
##
## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request
## pop3_unexpected
##
## .. note:: Currently, only the ``STARTLS`` command is recognized and
## triggers this.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event pop3_terminate%(c: connection, is_orig: bool, msg: string%);
## Generated for successful authentications on POP3 connections.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information about
## the POP3 protocol.
##
## c: The connection.
##
## is_orig: Always false.
##
## user: The user name used for authentication. The event is only generated if
## a non-empty user name was used.
##
## password: The password used for authentication.
##
## .. bro:see:: pop3_data pop3_login_failure pop3_reply pop3_request pop3_terminate
## pop3_unexpected
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event pop3_login_success%(c: connection, is_orig: bool,
user: string, password: string%);
## Generated for unsuccessful authentications on POP3 connections.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information about
## the POP3 protocol.
##
## c: The connection.
##
## is_orig: Always false.
##
## user: The user name attempted for authentication. The event is only generated if
## a non-empty user name was used.
##
## password: The password attempted for authentication.
##
## .. bro:see:: pop3_data pop3_login_success pop3_reply pop3_request pop3_terminate
## pop3_unexpected
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature.
event pop3_login_failure%(c: connection, is_orig: bool,
user: string, password: string%);
## Generated for all client-side IRC commands.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: Always true.
##
## prefix: The optional prefix coming with the command. IRC uses the prefix to
## indicate the true origin of a message.
##
## command: The command.
##
## arguments: The arguments for the command.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
##
## .. note:: This event is generated only for message that originate at the
## clients-side. Commands coming in from remote trigger the ge:bro:id:`irc_message`
## event instead.
event irc_request%(c: connection, is_orig: bool, prefix: string,
command: string, arguments: string%);
## Generated for all IRC replies. IRC replies are sent in response to a
## request and come with a reply code.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command what sent by the originator of the TCP connection.
##
## prefix: The optional prefix comming with the reply. IRC uses the prefix to
## indicate the true origin of a message.
##
## code: The reply code, as specified by the protocol.
##
## params: The reply's parameters.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
event irc_reply%(c: connection, is_orig: bool, prefix: string,
code: count, params: string%);
## Generated for IRC commands forwarded from the server to the client.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: Always false.
##
## prefix: The optional prefix coming with the command. IRC uses the prefix to
## indicate the true origin of a message.
##
## command: The command.
##
## arguments: The arguments for the command.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
##
## .. note::
##
## This event is generated only for messages that are forwarded by the server
## to the client. Commands coming from client trigger the :bro:id:`irc_request`
## event instead.
event irc_message%(c: connection, is_orig: bool, prefix: string,
command: string, message: string%);
## Generated for IRC messages of type *quit*. This event is generated for messages
## coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command what sent by the originator of the TCP connection.
##
## nick: The nick name coming with the message.
##
## message: The text included with the message.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
event irc_quit_message%(c: connection, is_orig: bool, nick: string, message: string%);
## Generated for IRC messages of type *privmsg*. This event is generated for messages
## coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command what sent by the originator of the TCP connection.
##
## source: The source of the private communication.
##
## target: The target of the private communication.
##
## message: The text of communication.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
event irc_privmsg_message%(c: connection, is_orig: bool, source: string,
target: string, message: string%);
## Generated for IRC messages of type *notice*. This event is generated for
## messages coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command what sent by the originator of the TCP connection.
##
## source: The source of the private communication.
##
## target: The target of the private communication.
##
## message: The text of communication.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_notice_message%(c: connection, is_orig: bool, source: string,
target: string, message: string%);
## Generated for IRC messages of type *squery*. This event is generated for
## messages coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command what sent by the originator of the TCP connection.
##
## source: The source of the private communication.
##
## target: The target of the private communication.
##
## message: The text of communication.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
event irc_squery_message%(c: connection, is_orig: bool, source: string,
target: string, message: string%);
## Generated for IRC messages of type *join*. This event is generated for
## messages coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command what sent by the originator of the TCP connection.
##
## info_list: The user information coming with the command.
##
## message: The text of communication.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_kick_message
## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
## irc_notice_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_join_message%(c: connection, is_orig: bool, info_list: irc_join_list%);
## Generated for IRC messages of type *part*. This event is generated for messages
## coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command what sent by the originator of the TCP connection.
##
## nick: The nickname coming with the message.
##
## chans: The set of channels affected.
##
## message: The text coming with the message.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_password_message
event irc_part_message%(c: connection, is_orig: bool, nick: string,
chans: string_set, message: string%);
## Generated for IRC messages of type *nick*. This event is generated for messages
## coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command what sent by the originator of the TCP connection.
##
## who: The user changing its nickname.
##
## newnick: The new nickname.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_notice_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_nick_message%(c: connection, is_orig: bool, who: string, newnick: string%);
## Generated when a server rejects an IRC nickname.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command what sent by the originator of the TCP connection.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invite_message irc_join_message irc_kick_message
## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
## irc_notice_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_invalid_nick%(c: connection, is_orig: bool%);
## Generated for an IRC reply of type *luserclient*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command what sent by the originator of the TCP connection.
##
## users: The number of users as returned in the reply.
##
## services: The number of services as returned in the reply.
##
## servers: The number of servers as returned in the reply.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_nick_message
## irc_notice_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_network_info%(c: connection, is_orig: bool, users: count,
services: count, servers: count%);
## Generated for an IRC reply of type *luserme*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command what sent by the originator of the TCP connection.
##
## users: The number of users as returned in the reply.
##
## services: The number of services as returned in the reply.
##
## servers: The number of servers as returned in the reply.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
event irc_server_info%(c: connection, is_orig: bool, users: count,
services: count, servers: count%);
## Generated for an IRC reply of type *luserchannels*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command what sent by the originator of the TCP connection.
##
## chans: The number of channels as returned in the reply.
##
## .. bro:see:: irc_channel_topic irc_dcc_message irc_error_message irc_global_users
## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
## irc_notice_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_channel_info%(c: connection, is_orig: bool, chans: count%);
## Generated for an IRC reply of type *whoreply*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command what sent by the originator of the TCP connection.
##
## target_nick: The target nick name.
##
## channel: The channel.
##
## user: The user.
##
## host: The host.
##
## server: The server.
##
## nick: The nick name.
##
## params: The parameters.
##
## hops: The hop count.
##
## real_name: The real name.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
event irc_who_line%(c: connection, is_orig: bool, target_nick: string,
channel: string, user: string, host: string,
server: string, nick: string, params: string,
hops: count, real_name: string%);
## Generated for an IRC reply of type *namereply*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command what sent by the originator of the TCP connection.
##
## c_type: The channel type.
##
## channel: The channel.
##
## users: The set of users.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_network_info irc_nick_message
## irc_notice_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_names_info%(c: connection, is_orig: bool, c_type: string,
channel: string, users: string_set%);
## Generated for an IRC reply of type *whoisoperator*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command what sent by the originator of the TCP connection.
##
## nick: The nick name specified in the reply.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
event irc_whois_operator_line%(c: connection, is_orig: bool, nick: string%);
## Generated for an IRC reply of type *whoischannels*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command what sent by the originator of the TCP connection.
##
## nick: The nick name specified in the reply.
##
## chans: The set of channels returned.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
event irc_whois_channel_line%(c: connection, is_orig: bool, nick: string,
chans: string_set%);
## Generated for an IRC reply of type *whoisuser*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command what sent by the originator of the TCP connection.
##
## nick: The nick name specified in the reply.
##
## user: The user name specified in the reply.
##
## host: The host name specified in the reply.
##
## user: The user name specified in the reply.
##
## real_name: The real name specified in the reply.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
event irc_whois_user_line%(c: connection, is_orig: bool, nick: string,
user: string, host: string, real_name: string%);
## Generated for IRC replies of type *youreoper* and *nooperhost*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command what sent by the originator of the TCP connection.
##
## got_oper: True if the *oper* command was executed successfully
## (*youreport*) and false otherwise (*nooperhost*).
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_part_message
## irc_password_message
event irc_oper_response%(c: connection, is_orig: bool, got_oper: bool%);
## Generated for an IRC reply of type *globalusers*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command what sent by the originator of the TCP connection.
##
## prefix: The optional prefix coming with the command. IRC uses the prefix to
## indicate the true origin of a message.
##
## msg: The message coming with the reply.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
## irc_notice_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_global_users%(c: connection, is_orig: bool, prefix: string, msg: string%);
## Generated for an IRC reply of type *topic*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## channel: The channel name specified in the reply.
##
## topic: The topic specified in the reply.
##
## .. bro:see:: irc_channel_info irc_dcc_message irc_error_message irc_global_users
## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
## irc_notice_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_channel_topic%(c: connection, is_orig: bool, channel: string, topic: string%);
## Generated for IRC messages of type *who*. This event is generated for messages
## coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command what sent by the originator of the TCP connection.
##
## mask: The mask specified in the message.
##
## oper: True if the operator flag was set.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
event irc_who_message%(c: connection, is_orig: bool, mask: string, oper: bool%);
## Generated for IRC messages of type *whois*. This event is generated for messages
## coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
##
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
event irc_whois_message%(c: connection, is_orig: bool, server: string, users: string%);
## Generated for IRC messages of type *oper*. This event is generated for messages
## coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## user: The user specified in the message.
##
## password: The password specified in the message.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_response irc_part_message
## irc_password_message
event irc_oper_message%(c: connection, is_orig: bool, user: string, password: string%);
## Generated for IRC messages of type *kick*. This event is generated for messages
## coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## prefix: The optional prefix coming with the command. IRC uses the prefix to
## indicate the true origin of a message.
##
## chans: The channels specified in the message.
##
## users: The users specified in the message.
##
## comment: The comment specified in the message.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
## irc_notice_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_kick_message%(c: connection, is_orig: bool, prefix: string,
chans: string, users: string, comment: string%);
## Generated for IRC messages of type *error*. This event is generated for messages
## coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## prefix: The optional prefix coming with the command. IRC uses the prefix to
## indicate the true origin of a message.
##
## message: The textual description specified in the message.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_global_users
## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
## irc_notice_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_error_message%(c: connection, is_orig: bool, prefix: string, message: string%);
## Generated for IRC messages of type *invite*. This event is generated for
## messages coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## prefix: The optional prefix coming with the command. IRC uses the prefix to
## indicate the true origin of a message.
##
## nickname: The nick name specified in the message.
##
## channel: The channel specified in the message.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_join_message irc_kick_message
## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
## irc_notice_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_invite_message%(c: connection, is_orig: bool, prefix: string,
nickname: string, channel: string%);
## Generated for IRC messages of type *mode*. This event is generated for messages
## coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## prefix: The optional prefix coming with the command. IRC uses the prefix to
## indicate the true origin of a message.
##
## params: The parameters coming with the message.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_names_info irc_network_info irc_nick_message
## irc_notice_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_mode_message%(c: connection, is_orig: bool, prefix: string, params: string%);
## Generated for IRC messages of type *squit*. This event is generated for messages
## coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## prefix: The optional prefix coming with the command. IRC uses the prefix to
## indicate the true origin of a message.
##
## server: The server specified in the message.
##
## messate: The textual description specified in the message.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
event irc_squit_message%(c: connection, is_orig: bool, prefix: string,
server: string, message: string%);
## Generated for IRC messages of type *dcc*. This event is generated for messages
## coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## prefix: The optional prefix coming with the command. IRC uses the prefix to
## indicate the true origin of a message.
##
## target: The target specified in the message.
##
## dcc_type: The DCC type specified in the message.
##
## argument: The argument specified in the message.
##
## address: The address specified in the message.
##
## dest_port: The destination port specified in the message.
##
## size: The size specified in the message.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_error_message irc_global_users
## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
## irc_notice_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_dcc_message%(c: connection, is_orig: bool,
prefix: string, target: string,
dcc_type: string, argument: string,
address: addr, dest_port: count, size: count%);
## Generated for IRC messages of type *user*. This event is generated for messages
## coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## user: The user specified in the message.
##
## host: The host name specified in the message.
##
## server: The server name specified in the message.
##
## real_name: The real name specified in the message.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
event irc_user_message%(c: connection, is_orig: bool, user: string, host: string, server: string, real_name: string%);
## Generated for IRC messages of type *password*. This event is generated for
## messages coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## password: The password specified in the message.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message
event irc_password_message%(c: connection, is_orig: bool, password: string%);
## TODO.
##
## .. bro:see::
event file_transferred%(c: connection, prefix: string, descr: string, mime_type: string%);
## Generated for monitored Syslog messages.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Syslog>`__ for more
## information about the Syslog protocol.
##
## c: The connection record for the underlying transport-layer session/flow.
##
## facility: The "facility" included in the message.
##
## severity: The "severity" included in the message.
##
## msg: The message logged.
##
## .. note:: Bro currently parses only UDP syslog traffic. Support for TCP syslog
## will be added soon.
event syslog_message%(c: connection, facility: count, severity: count, msg: string%);
## Generated when a signature matches. Bro's signature engine provide
## high-performance pattern matching separately from the normal script processing.
## If a signature with an ``event`` action matches, this event is raised.
##
## See the :doc:`user manual </signatures>` for more information about Bro's
## signature engine.
##
## state: Context about the match, including which signatures triggered the
## event and the connection for which the match was found.
##
## msg: The message passed to the ``event`` signature action.
##
## data; The last chunk of input that triggered the match. Note that the specifics
## here are no well-defined as Bro does not buffer any input. If a match is split
## across packet boundaries, only the last chunk triggering the will be passed on
## to the event.
event signature_match%(state: signature_state, msg: string, data: string%);
## Generated when a protocol analyzer finds an identification of a software
## used on a system. This is a protocol-independent event that is fed by
## different analyzers. For example, the HTTP analyzer reports user-agent and
## server software by raising this event, assuming it can parse it (if not,
## :bro:id:`software_parse_error` will be generated instead).
##
## c: The connection.
##
## host: The host running the reported software.
##
## s: A description of the software found.
##
## descr: The raw (unparsed) software identification string as extracted from the
## protocol.
##
## .. bro:see:: software_parse_error software_unparsed_version_found OS_version_found
event software_version_found%(c: connection, host: addr,
s: software, descr: string%);
## Generated when a protocol analyzer finds an identification of a software used on
## a system but cannot parse it. This is a protocol-independent event that is fed
## by different analyzers. For example, the HTTP analyzer reports user-agent and
## server software by raising this event if it cannot parse them directly (if canit
## :bro:id:`software_version_found` will be generated instead).
##
## c: The connection.
##
## host: The host running the reported software.
##
## descr: The raw (unparsed) software identification string as extracted from the
## protocol.
##
## .. bro:see:: software_version_found software_unparsed_version_found
## OS_version_found
event software_parse_error%(c: connection, host: addr, descr: string%);
## Generated when a protocol analyzer finds an identification of a software
## used on a system. This is a protocol-independent event that is fed by
## different analyzers. For example, the HTTP analyzer reports user-agent and
## server software by raising this event. Different from
## :bro:id:`software_version_found` and :bro:id:`software_parse_error`, this
## event is always raised, independent of whether Bro can parse the version
## string.
##
## c: The connection.
##
## host: The host running the reported software.
##
## descr: The software identification string as extracted from the protocol.
##
## .. bro:see:: software_parse_error software_version_found OS_version_found
event software_unparsed_version_found%(c: connection, host: addr, str: string%);
## Generated when an operating system has been fingerprinted. Bro uses `p0f
## <http://lcamtuf.coredump.cx/p0f.shtml>`__ to fingerprint endpoints passively,
## and it raises this event for each system identified. The p0f fingerprints are
## defined by :bro:id:`passive_fingerprint_file`.
##
## .. bro:see:: passive_fingerprint_file software_parse_error
## software_version_found software_unparsed_version_found
## generate_OS_version_event
event OS_version_found%(c: connection, host: addr, OS: OS_version%);
## Generated when a connection to a remote Bro has been established. This event
## is intended primarily for use by Bro's communication framework, but it can also
## trigger additional code if helpful.
##
## p: A record describing the peer.
##
## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error
## remote_connection_handshake_done remote_event_registered remote_log remote_pong
## remote_state_access_performed remote_state_inconsistency print_hook
event remote_connection_established%(p: event_peer%);
## Generated when a connection to a remote Bro has been closed. This event is
## intended primarily for use by Bro's communication framework, but it can
## also trigger additional code if helpful.
##
## p: A record describing the peer.
##
## .. bro:see:: remote_capture_filter remote_connection_error
## remote_connection_established remote_connection_handshake_done
## remote_event_registered remote_log remote_pong remote_state_access_performed
## remote_state_inconsistency print_hook
event remote_connection_closed%(p: event_peer%);
## Generated when a remote connection's initial handshake has been completed. This
## event is intended primarily for use by Bro's communication framework, but it can
## also trigger additional code if helpful.
##
## p: A record describing the peer.
##
## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error
## remote_connection_established remote_event_registered remote_log remote_pong
## remote_state_access_performed remote_state_inconsistency print_hook
event remote_connection_handshake_done%(p: event_peer%);
## Generated for each event registered by a remote peer. This event is intended
## primarily for use by Bro's communication framework, but it can also trigger
## additional code if helpful.
##
## p: A record describing the peer.
##
## .. bro:see:: remote_capture_filter remote_connection_closed
## remote_connection_error remote_connection_established
## remote_connection_handshake_done remote_log remote_pong
## remote_state_access_performed remote_state_inconsistency print_hook
event remote_event_registered%(p: event_peer, name: string%);
## Generated when a connection to a remote Bro encountered an error. This event
## is intended primarily for use by Bro's communication framework, but it can also
## trigger additional code if helpful.
##
## p: A record describing the peer.
##
## reason: A textual description of the error.
##
## .. bro:see:: remote_capture_filter remote_connection_closed
## remote_connection_established remote_connection_handshake_done
## remote_event_registered remote_log remote_pong remote_state_access_performed
## remote_state_inconsistency print_hook
event remote_connection_error%(p: event_peer, reason: string%);
## Generated when a remote peer sent us a capture filter. While this event is
## intended primarily for use by Bro's communication framework, it can also trigger
## additional code if helpful.
##
## p: A record describing the peer.
##
## filter: The filter string sent by the peer.
##
## .. bro:see:: remote_connection_closed remote_connection_error
## remote_connection_established remote_connection_handshake_done
## remote_event_registered remote_log remote_pong remote_state_access_performed
## remote_state_inconsistency print_hook
event remote_capture_filter%(p: event_peer, filter: string%);
## Generated after a call to :bro:id:`send_state` when all data has been
## successfully sent to the remote side. While this event is
## intended primarily for use by Bro's communication framework, it can also trigger
## additional code if helpful.
##
## p: A record describing the remote peer.
##
## .. bro:see:: remote_capture_filter remote_connection_closed
## remote_connection_error remote_connection_established
## remote_connection_handshake_done remote_event_registered remote_log remote_pong
## remote_state_access_performed remote_state_inconsistency print_hook
event finished_send_state%(p: event_peer%);
## Generated if state synchronization detects an inconsistency. While this event
## is intended primarily for use by Bro's communication framework, it can also
## trigger additional code if helpful. This event is only raised if
## :bro:id:`remote_check_sync_consistency` is false.
##
## operation: The textual description of the state operation performed.
##
## id: The name of the Bro script identifier that was operated on.
##
## expected_old: A textual representation of the value of *id* that was expected to
## be found before the operation was carried out.
##
## real_old: A textual representation of the value of *id* that was actually found
## before the operation was carried out. The difference between
## *real_old* and *expected_old* is the inconsistency being reported.
##
## .. bro:see:: remote_capture_filter remote_connection_closed
## remote_connection_error remote_connection_established
## remote_connection_handshake_done remote_event_registered remote_log remote_pong
## remote_state_access_performed print_hook remote_check_sync_consistency
event remote_state_inconsistency%(operation: string, id: string,
expected_old: string, real_old: string%);
## Generated for communication log messages. While this event is
## intended primarily for use by Bro's communication framework, it can also trigger
## additional code if helpful.
##
## level: The log level, which is either :bro:id:`REMOTE_LOG_INFO` or
## :bro:id:`REMOTE_LOG_ERROR`.
##
## src: The component of the comminication system that logged the message.
## Currently, this will be one of :bro:id:`REMOTE_SRC_CHILD` (Bro's
## child process), :bro:id:`REMOTE_SRC_PARENT` (Bro's main process), or
## :bro:id:`REMOTE_SRC_SCRIPT` (the script level).
##
## msg: The message logged.
##
## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error
## remote_connection_established remote_connection_handshake_done
## remote_event_registered remote_pong remote_state_access_performed
## remote_state_inconsistency print_hook remote_log_peer
event remote_log%(level: count, src: count, msg: string%);
## Generated for communication log messages. While this event is
## intended primarily for use by Bro's communication framework, it can also trigger
## additional code if helpful. This event is equivalent to
## :bro:see:`remote_log` except the message is with respect to a certain peer.
##
## p: A record describing the remote peer.
##
## level: The log level, which is either :bro:id:`REMOTE_LOG_INFO` or
## :bro:id:`REMOTE_LOG_ERROR`.
##
## src: The component of the comminication system that logged the message.
## Currently, this will be one of :bro:id:`REMOTE_SRC_CHILD` (Bro's
## child process), :bro:id:`REMOTE_SRC_PARENT` (Bro's main process), or
## :bro:id:`REMOTE_SRC_SCRIPT` (the script level).
##
## msg: The message logged.
##
## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error
## remote_connection_established remote_connection_handshake_done
## remote_event_registered remote_pong remote_state_access_performed
## remote_state_inconsistency print_hook remote_log
event remote_log_peer%(p: event_peer, level: count, src: count, msg: string%);
## Generated when a remote peer has answered to our ping. This event is part of
## Bro's infrastructure for measuring communication latency. One can send a ping
## by calling :bro:id:`send_ping` and when a corresponding reply is received, this
## event will be raised.
##
## p: The peer sending us the pong.
##
## seq: The sequence number passed to the original :bro:id:`send_ping` call.
## The number is sent back by the peer in its response.
##
## d1: The time interval between sending the ping and receiving the pong. This
## is the latency of the complete path.
##
## d2: The time interval between sending out the ping to the network and its
## reception at the peer. This is the network latency.
##
## d3: The time interval between when the peer's child process received the
## ping and when its parent process sent the pong. This is the
## processing latency at the the peer.
##
## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error
## remote_connection_established remote_connection_handshake_done
## remote_event_registered remote_log remote_state_access_performed
## remote_state_inconsistency print_hook
event remote_pong%(p: event_peer, seq: count,
d1: interval, d2: interval, d3: interval%);
## Generated each time a remote state access has been replayed locally. This event
## is primarily intended for debugging. measurments.
##
## id: The name of the Bro script variable that's being operated on.
##
## v: The new value of the variable.
##
## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error
## remote_connection_established remote_connection_handshake_done
## remote_event_registered remote_log remote_pong remote_state_inconsistency
## print_hook
event remote_state_access_performed%(id: string, v: any%);
## Generated each time Bro's internal profiling log is updated. The file is
## defined by :bro:id:`profiling_file`, and its update frequency by
## :bro:id:`profiling_interval` and :bro:id:`expensive_profiling_multiple`.
##
## f: The profiling file.
##
## expensive: True if this event corresponds to heavier-weight profiling as
## indicated by the :bro:id:`expensive_profiling_multiple` variable.
##
## .. bro:see:: profiling_interval expensive_profiling_multiple
event profiling_update%(f: file, expensive: bool%);
## Generated each time Bro's script interpreter opens a file. This event is
## triggered only for files opened via :bro:id:`open`, and in particular not for
## normal log files as created by a log writers.
##
## f: The opened file.
event file_opened%(f: file%);
## Generated for a received NetFlow v5 header. Bro's NetFlow processor raises this
## event whenever it either receives a NetFlow header on the port it's listening
## on, or reads one from a trace file.
##
## h: The parsed NetFlow header.
##
## .. bro:see:: netflow_v5_record
event netflow_v5_header%(h: nf_v5_header%);
## Generated for a received NetFlow v5 record. Bro's NetFlow processor raises this
## event whenever it either receives a NetFlow record on the port it's listening
## on, or reads one from a trace file.
##
## h: The parsed NetFlow header.
##
## .. bro:see:: netflow_v5_record
event netflow_v5_record%(r: nf_v5_record%);
## Raised for informational messages reported via Bro's reporter framework. Such
## messages may be generated internally by the event engine and also by other
## scripts calling :bro:id:`Reporter::info`.
##
## t: The time the message was passed to the reporter.
##
## msg: The message itself.
##
## location: A (potentially empty) string describing a location associated with the
## message.
##
## .. bro:see:: reporter_warning reporter_error Reporter::info Reporter::warning
## Reporter::error
##
## .. note:: Bro will not call reporter events recursively. If the handler of any
## reporter event triggers a new reporter message itself, the output will go to
## ``stderr`` instead.
event reporter_info%(t: time, msg: string, location: string%) &error_handler;
## Raised for warnings reported via Bro's reporter framework. Such messages may
## be generated internally by the event engine and also by other scripts calling
## :bro:id:`Reporter::warning`.
##
## t: The time the warning was passed to the reporter.
##
## msg: The warning message.
##
## location: A (potentially empty) string describing a location associated with the
## warning.
##
## .. bro:see:: reporter_info reporter_error Reporter::info Reporter::warning
## Reporter::error
##
## .. note:: Bro will not call reporter events recursively. If the handler of any
## reporter event triggers a new reporter message itself, the output will go to
## ``stderr`` instead.
event reporter_warning%(t: time, msg: string, location: string%) &error_handler;
## Raised for errors reported via Bro's reporter framework. Such messages may
## be generated internally by the event engine and also by other scripts calling
## :bro:id:`Reporter::error`.
##
## t: The time the error was passed to the reporter.
##
## msg: The error message.
##
## location: A (potentially empty) string describing a location associated with the
## error.
##
## .. bro:see:: reporter_info reporter_warning Reporter::info Reporter::warning
## Reporter::error
##
## .. note:: Bro will not call reporter events recursively. If the handler of any
## reporter event triggers a new reporter message itself, the output will go to
## ``stderr`` instead.
event reporter_error%(t: time, msg: string, location: string%) &error_handler;
## Raised for each policy script loaded by the script interpreter.
##
## path: The full path to the script loaded.
##
## level: The "nesting level": zero for a top-level Bro script and incremented
## recursively for each ``@load``.
event bro_script_loaded%(path: string, level: count%);
## Deprecated. Will be removed.
event stp_create_endp%(c: connection, e: int, is_orig: bool%);
# ##### Internal events. Not further documented.
## Event internal to the stepping stone detector.
event stp_resume_endp%(e: int%);
## Event internal to the stepping stone detector.
event stp_correlate_pair%(e1: int, e2: int%);
## Event internal to the stepping stone detector.
event stp_remove_pair%(e1: int, e2: int%);
## Event internal to the stepping stone detector.
event stp_remove_endp%(e: int%);
# ##### Deprecated events. Proposed for removal.
## Deprecated. Will be removed.
event interconn_stats%(c: connection, os: interconn_endp_stats, rs: interconn_endp_stats%);
## Deprecated. Will be removed.
event interconn_remove_conn%(c: connection%);
## Deprecated. Will be removed.
event backdoor_stats%(c: connection, os: backdoor_endp_stats, rs: backdoor_endp_stats%);
## Deprecated. Will be removed.
event backdoor_remove_conn%(c: connection%);
## Deprecated. Will be removed.
event ssh_signature_found%(c: connection, is_orig: bool%);
## Deprecated. Will be removed.
event telnet_signature_found%(c: connection, is_orig: bool, len: count%);
## Deprecated. Will be removed.
event rlogin_signature_found%(c: connection, is_orig: bool, num_null: count, len: count%);
## Deprecated. Will be removed.
event root_backdoor_signature_found%(c: connection%);
## Deprecated. Will be removed.
event ftp_signature_found%(c: connection%);
## Deprecated. Will be removed.
event napster_signature_found%(c: connection%);
## Deprecated. Will be removed.
event gnutella_signature_found%(c: connection%);
## Deprecated. Will be removed.
event kazaa_signature_found%(c: connection%);
## Deprecated. Will be removed.
event http_signature_found%(c: connection%);
## Deprecated. Will be removed.
event http_proxy_signature_found%(c: connection%);
## Deprecated. Will be removed.
event smtp_signature_found%(c: connection%);
## Deprecated. Will be removed.
event irc_signature_found%(c: connection%);
## Deprecated. Will be removed.
event gaobot_signature_found%(c: connection%);
## Deprecated. Will be removed.
##
## .. todo:: Unclear what this event is for; it's never raised. We should just
## remove it.
event dns_full_request%(%) &group="dns";
## Deprecated. Will be removed.
event anonymization_mapping%(orig: addr, mapped: addr%);
## Deprecated. Will be removed.
event rotate_interval%(f: file%);
## Deprecated. Will be removed.
event rotate_size%(f: file%);
## Deprecated. Will be removed.
event print_hook%(f:file, s: string%);
Reference in a new issue View git blame Copy permalink